Hi Willam:
Thanks for your reply.
Hope this explains my issue further.
>If the browser is successfully redirected to this URL it will end the
>CAS SSO session
That is where I am stumped! I am redirecting it. Yes, the second user
is being challenged. However, after the challenge, the second user's
credentials are what the first user had. It is almost like it is still
the first user. Does CAS identify a user in terms of machine the user is
operating from as well? In other words, two people cannot share the same
PC. I thought redirecting to cas logout really ends all traces of the
first user in the cas workflow. I read some docs and I see conflicting
answers.
Some documents seem to indicate that it is something the CAS server
decides. I may invalidate my session or redirect to a cas logout. The
CAS, however, waits for an expiration time to "really" invalidate the
user. Is that true?
Thanks
Ram
>>> "William G. Thompson, Jr." <wgt...@gmail.com> 1/21/2009 7:24 PM
>>>
On Wed, Jan 21, 2009 at 3:56 PM, Ramakrishnan Iyer <ri...@kumc.edu>
wrote:
> Hello:
Hi Ram,
>
> I read that it is possible to log out of CAS programmatically by
having the
> following line in my logout method
>
> response.sendRedirect("https://<xxxx.edu>/cas/logout");
If the browser is successfully redirected to this URL it will end the
CAS SSO session, presuming there is already one established for that
browser session.
>
> However, this is not secure, I am told, and I am advised to close
the
> browser.
The CAS SSO session is mediated by a browser session cookie set by the
CAS server. The surest way to end the SSO session is by closing the
browser and destroying the cookie.
>
> However, I find that, despite closing the browser, a different user
could
> still open a new browser on my PC, and sign in, but the person has
all the
> privileges/access I had. It is almost as if the CAS server has me
recorded
> as logged in and I may have to wait for the cookie-tickets to
expire.
I'm not sure I follow this. Is the second user being challenged for
credentials?
> I am assuming the CAS Server web.xml controls the application
timeout. I, as
> an application, cannot programmatically set the maxAge of cookies.
CAS
> Server is in charge of cookie-tickets and the application server
(that is my
> server) never touches this information. Is this the way this works or
am I
> doing something wrong? Can I change the maxAge of all cookies to zero
before
> calling logout. I tried but it is not working. (and I did not expect
it to
> because of the independence of the app server from the CAS server)
CAS SSO Session and Application Session are independent. Once you
have established a session with your application CAS is out of the
picture. How is your application maintaining session state?
>
> Any pointers? Maybe, this is the way it is supposed to work and the
> applications are not supposed to log out?
You have to think of the CAS SSO Session and the Application Sessions
as distinct things. It if fine for an Application to log out a user
from its specific session. If the user still has an SSO Session they
could login again without a credential challenge.
It is also fine for an Application to explicitly end a CAS SSO by
redirecting a user to CAS/logout. It really depends on the behavior
you're trying to achieve. In a general CAS SSO setup, you probably
would never redirect the user to CAS/logout.
Bill
>
> Thanks
> Ram Iyer
> _______________________________________________
> Yale CAS mailing list
> cas@tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
