The CAS client doesn't need it in the url in order to work. Is there a reason you put it in the URL?
On Mon, Jan 11, 2010 at 9:29 PM, Gokula Krishnan P < [email protected]> wrote: > Hi, > Please can some one validate my approach and comment on pros/cons? > > > > Thanks & Regards, > Gokula > > Sent from BlackBerry, please ignore typo. > > ------------------------------ > *From*: Gokula Krishnan P > *To*: [email protected] > *Cc*: [email protected] ; [email protected] ; > [email protected] ; [email protected] > *Sent*: Mon Jan 11 10:15:06 2010 > *Subject*: Handling CAS logoutofservices > > Hi Team, > > > > CAS Single Logout does a Http URL Connection to all the registered services > and does a logout request (SAML Post). The individual applications > invalidates the sessions identifying the logout request. > > In order to identify the session of the user from the logout request (SAML > Post) we do a re-writing of jsessionid as part of service URL when the user > gets redirected to CAS login page. The service URL now contains jsessionid > and which is stored in CAS map. The CAS Login URL looks like > https://domain.com/cas/login?service=https://domain.com/secureapp/j_acegi_cas_security_check;jsessionid=3D22FCE59C96D860823828FAA2EA6FD84Bplease > note that the service URL contains jsessionid which will be used to > identify and invalidate the session in the individual application. > > > > This works as expect but I request you to validate the approach of > passing/re-writing jsessionid as part of service URL. If this approach has > security vulnerability, please explain and suggest the best approach for > Single Logout. > > > > Thanks in advance. > > > > > > Thanks & Regards, > > Gokula > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
