On Thu, Jan 22, 2009 at 12:05 PM, Ramakrishnan Iyer <ri...@kumc.edu> wrote:
>
>
> Hi Willam:
>
> Thanks for your reply.
>
> Hope this explains my issue further.
>
>>If the browser is successfully redirected to this URL it will end the
>>CAS SSO session
>
> That is where I am stumped! I am redirecting it. Yes, the second user is
> being challenged. However, after the challenge, the second user's
> credentials are what the first user had. It is almost like it is still the
> first user. Does CAS identify a user in terms of machine the user is
> operating from as well? In other words, two people cannot share the same PC.
> I thought redirecting to cas logout really ends all traces of the first user
> in the cas workflow. I read some docs and I see conflicting answers.
>
> Some documents seem to indicate that it is something the CAS server decides.
> I may invalidate my session or redirect to a cas logout. The CAS, however,
> waits for an expiration time to "really" invalidate the user. Is that true?
Are you simply trying to log the user out of the Application? If so,
you need to invalidate the Application Session at the Application
layer. This is independent of CAS.
If you also want to end the CAS SSO Session, then you redirect to
CAS/logout after the Application Session is invalidated. Clear? In
a general Enterprise SSO deployment, you would not redirect to
CAS/logout, since this would defeat the purpose of SSO.
>From your example, it sounds like may still have the first users
Application Session active...which would be true if you only did a
CAS/logout.
Bill
--
William G. Thompson, Jr.
Senior Technologist - Development Information Systems
Office of Development, Princeton University
voice: 609.258.2655 | wthom...@princeton.edu
>
> Thanks
> Ram
>
>>>> "William G. Thompson, Jr." <wgt...@gmail.com> 1/21/2009 7:24 PM >>>
> On Wed, Jan 21, 2009 at 3:56 PM, Ramakrishnan Iyer <ri...@kumc.edu> wrote:
>> Hello:
>
> Hi Ram,
>
>>
>> I read that it is possible to log out of CAS programmatically by having
>> the
>> following line in my logout method
>>
>> response.sendRedirect("https://<xxxx.edu>/cas/logout");
>
> If the browser is successfully redirected to this URL it will end the
> CAS SSO session, presuming there is already one established for that
> browser session.
>
>>
>> However, this is not secure, I am told, and I am advised to close the
>> browser.
>
> The CAS SSO session is mediated by a browser session cookie set by the
> CAS server. The surest way to end the SSO session is by closing the
> browser and destroying the cookie.
>
>>
>> However, I find that, despite closing the browser, a different user could
>> still open a new browser on my PC, and sign in, but the person has all the
>> privileges/access I had. It is almost as if the CAS server has me recorded
>> as logged in and I may have to wait for the cookie-tickets to expire.
>
> I'm not sure I follow this. Is the second user being challenged for
> credentials?
>
>> I am assuming the CAS Server web.xml controls the application timeout. I,
>> as
>> an application, cannot programmatically set the maxAge of cookies. CAS
>> Server is in charge of cookie-tickets and the application server (that is
>> my
>> server) never touches this information. Is this the way this works or am I
>> doing something wrong? Can I change the maxAge of all cookies to zero
>> before
>> calling logout. I tried but it is not working. (and I did not expect it to
>> because of the independence of the app server from the CAS server)
>
> CAS SSO Session and Application Session are independent. Once you
> have established a session with your application CAS is out of the
> picture. How is your application maintaining session state?
>
>>
>> Any pointers? Maybe, this is the way it is supposed to work and the
>> applications are not supposed to log out?
>
> You have to think of the CAS SSO Session and the Application Sessions
> as distinct things. It if fine for an Application to log out a user
> from its specific session. If the user still has an SSO Session they
> could login again without a credential challenge.
>
> It is also fine for an Application to explicitly end a CAS SSO by
> redirecting a user to CAS/logout. It really depends on the behavior
> you're trying to achieve. In a general CAS SSO setup, you probably
> would never redirect the user to CAS/logout.
>
> Bill
>
>>
>> Thanks
>> Ram Iyer
>> _______________________________________________
>> Yale CAS mailing list
>> cas@tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
> _______________________________________________
> Yale CAS mailing list
> cas@tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
> _______________________________________________
> Yale CAS mailing list
> cas@tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
