> From: Richard Frovarp > Sent: Monday, March 17, 2014 5:36 PM > > Imagine this scenario. You are logged into Blackboard, you click logout. You > get up, another person sits down at that same machine with the same > browser session.
I'm not familiar with the specifics of the blackboard "logout" page, but almost every single web app I've ever used, when you click on the logout button, takes you to a page saying you are logged out and that you should close your web browser for security purposes, or to clear your session, or for whatever. If the blackboard page says something like that, and the user did not close the web browser, then I guess they got what they deserved. If the blackboard page does not say something like that, then it should, as regardless of the state of CAS there is potentially sensitive data in the cache or cookie store that might be accessible before the browser is closed. > There is SINGLE sign on (SSO) and SAME sign on. The second is same sign on. Wikipedia disagrees with you: http://en.wikipedia.org/wiki/Single_sign-on "Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them." As does the open group, although their relevance nowadays might be questionable: http://www.opengroup.org/security/sso/ "Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords." I'd never heard of "Same Sign-On" before, from the few Google hits that result from searching for it it appears to be some terminology Microsoft made up. They seem to like co-opting acronyms, I remember when we were running DCE/DFS and they introduced their "Dfs" product... > The idea is to implement the system to fit the needs of your institution. > Single sign off is certainly not one of them for us, and I suspect that many > other schools would find the same, especially if session timeouts are going > to trigger them. We have single sign off disabled as well, that's actually recommendation in the default CAS config. I agree in any case that this is a bit of a complicated subject, and the intersection of the technology with the usual caveats of training users is going to be a bit of a mess <sigh>. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
