I think the way to handle this is for your application to kill all cookies for your site, which would include the mod_auth_cas session. It goes something like this:
1) User clicks on logout button/link. 2) Script/program in your app clears out all cookies for the app domain (app session, mod_auth_cas session). 3) As part of the same HTTP response, the script issues a redirect to the cas server's /logout resource. There are some common techniques for ending the sessions depending on what you want to achieve. I built most of these into txcasproxy [1], which is a stand-alone CAS authenticating proxy. Thanks, Carl Waldbieser [1] http://txcasproxy.readthedocs.org/en/latest/options.html#ending-the-session ----- Original Message ----- From: "Chris Cheltenham" <cchelten...@swaintechs.com> To: "cas-user" <cas-user@lists.jasig.org> Sent: Wednesday, October 7, 2015 8:39:53 AM Subject: RE: [cas-user] cas 3.5.2 catalina logs All, I understand Andy's answer and have been able to prove it. However; the /cas/logout then essentially does nothing unless you close your browser. For me . I would have to have the SLO kill the apache session which in ver 3.5.2 is NOT recommended. My question is: Is this an issue for others? Is this process changed in 4.x? I will begin to read abou updating mod_auth_cas and CAS today. Thanks -----Original Message----- From: Andrew Morgan [mailto:mor...@orst.edu] Sent: Monday, October 05, 2015 2:33 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] cas 3.5.2 catalina logs On Sat, 3 Oct 2015, Chris Cheltenham wrote: > Andy, > > Actually I have figured out the certificate issue. > > Thanks > > I have noticed each CAS session creates two tickets. > One is on tomcat on the CAS server that one gets destroyed. > There is another on /tmp/cas apache server which is a different box with > mod_auth_cas. > > That apache session file / ticket does not go away unless you manually delete > it. > > However, reading the docs it appears the ticket service is working as > advertised. > > Our client is asking for a way to delete the ticket in /tmp/cas as well. > That is my issue ultimately. > > I thought it was because of the certificate error it could not redirect the > logout back to the web server. > However, fixing my cert error did not completely fix my problem. > > There must be another function to delete that session in /tmp/cas but > I cannot figure out what it is in the docs. Maybe it is SLO, Correct. The CAS client maintains its own session after the initial authentication. According to the mod_auth_cas README: * CAS single sign out is currently not functional and disabled. It is only safe to use in the case where all requests are GET and not POST (the module inadvertently 'eats' some content of the POST request while determining if it should process it as a SAML logout request). The docs for the SLO option: Directive: CASSSOEnabled Default: Off Description: If enabled, this activates support for Single Sign Out within the CAS protocol. Please note that this feature is currently experimental and may mangle POST data. So, you might be able to use SLO with mod_auth_cas if your application does not use POST requests. Otherwise, perhaps a different CAS client could be used, such as the PHP or Java client. Andy -- You are currently subscribed to cas-user@lists.jasig.org as: cchelten...@swaintechs.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
