Hi Willam: Thanks for your reply. Hope this explains my issue further. >If the browser is successfully redirected to this URL it will end the >CAS SSO session That is where I am stumped! I am redirecting it. Yes, the second user is being challenged. However, after the challenge, the second user's credentials are what the first user had. It is almost like it is still the first user. Does CAS identify a user in terms of machine the user is operating from as well? In other words, two people cannot share the same PC. I thought redirecting to cas logout really ends all traces of the first user in the cas workflow. I read some docs and I see conflicting answers. Some documents seem to indicate that it is something the CAS server decides. I may invalidate my session or redirect to a cas logout. The CAS, however, waits for an expiration time to "really" invalidate the user. Is that true? Thanks Ram
>>> "William G. Thompson, Jr." <wgt...@gmail.com> 1/21/2009 7:24 PM >>> On Wed, Jan 21, 2009 at 3:56 PM, Ramakrishnan Iyer <ri...@kumc.edu> wrote: > Hello: Hi Ram, > > I read that it is possible to log out of CAS programmatically by having the > following line in my logout method > > response.sendRedirect("https://<xxxx.edu>/cas/logout"); If the browser is successfully redirected to this URL it will end the CAS SSO session, presuming there is already one established for that browser session. > > However, this is not secure, I am told, and I am advised to close the > browser. The CAS SSO session is mediated by a browser session cookie set by the CAS server. The surest way to end the SSO session is by closing the browser and destroying the cookie. > > However, I find that, despite closing the browser, a different user could > still open a new browser on my PC, and sign in, but the person has all the > privileges/access I had. It is almost as if the CAS server has me recorded > as logged in and I may have to wait for the cookie-tickets to expire. I'm not sure I follow this. Is the second user being challenged for credentials? > I am assuming the CAS Server web.xml controls the application timeout. I, as > an application, cannot programmatically set the maxAge of cookies. CAS > Server is in charge of cookie-tickets and the application server (that is my > server) never touches this information. Is this the way this works or am I > doing something wrong? Can I change the maxAge of all cookies to zero before > calling logout. I tried but it is not working. (and I did not expect it to > because of the independence of the app server from the CAS server) CAS SSO Session and Application Session are independent. Once you have established a session with your application CAS is out of the picture. How is your application maintaining session state? > > Any pointers? Maybe, this is the way it is supposed to work and the > applications are not supposed to log out? You have to think of the CAS SSO Session and the Application Sessions as distinct things. It if fine for an Application to log out a user from its specific session. If the user still has an SSO Session they could login again without a credential challenge. It is also fine for an Application to explicitly end a CAS SSO by redirecting a user to CAS/logout. It really depends on the behavior you're trying to achieve. In a general CAS SSO setup, you probably would never redirect the user to CAS/logout. Bill > > Thanks > Ram Iyer > _______________________________________________ > Yale CAS mailing list > cas@tp.its.yale.edu > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas