You should check the return value of the user for the ticket, and determine if CAS is sending the correct value via the ticket validation. If the correct value is being sent via ticket, then you're still using your old session.
If you don't do that then we can't help you. -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Fri, Jan 23, 2009 at 9:16 AM, Ramakrishnan Iyer <ri...@kumc.edu> wrote: > Hi Ted: > > Yes, I am using Yale CAS client. I am login in to a webapp but not going to > another webapp. I just logout and the second user, who is signing on to the > same webapp through my machine, does get challenged. However, after the > second user passes it, he/she is into the webapp but with my permissions. > All indications are the user logged on to my webapp. I thought when I sign > off > > session.invalidate(); > response.sendRedirect("https://xxxx/logout";); > and close the browser, the new user should not be on my session that was > already invalidated and logged out of. > > Thanks for your suggestion. > > Sincerely > Ram > > >>> tedzo <tedzo2...@yahoo.com> 1/23/2009 12:41 AM >>> > Ram, > I guess you are using the Yale CAS client. If that is so, I think the > behavior you describe is how it works. You login to a webapp and navigate to > another webapp unchallenged. Then you logout of second webapp successfully > by dstroying thee session an redirecting to CAS logut url. However your > session with the first webapp is still valid because no one destroyed that > session. Hence, you will be able to simple navigate back to the first webapp > unchallenged. Thats how it works for us. Thats also one of the reasons why > we are moving to version 3 of the client which supports the single logout > feature. > > Hope that helps. > > ------------------------------ > *From:* Ramakrishnan Iyer <ri...@kumc.edu> > *To:* Yale CAS mailing list <cas@tp.its.yale.edu> > *Sent:* Thursday, January 22, 2009 11:46:20 AM > *Subject:* Re: CAS Logout question Followup > > Bill: > > >Are you simply trying to log the user out of the Application? If so, > >you need to invalidate the Application Session at the Application > >layer. This is independent of CAS. > > If you also want to end the CAS SSO Session, then you redirect to > CAS/logout after the Application Session is invalidated. Clear? In > a general Enterprise SSO deployment, you would not redirect to > CAS/logout, since this would defeat the purpose of SSO. > > >From your example, it sounds like may still have the first users > Application Session active...which would be true if you only did a > CAS/logout. > > session.invalidate(); > response.sendRedirect("https://xxxx/logout";); > > In my app module, after a login, I check > > userId = > (String)session.getAttribute("edu.yale.its.tp<http://edu.yale.its.tp.cas.client.filter.us> > .cas.client.filter.user"); > > Although the first user signed off, and the second userid signed on, here > it still brings back the first userid. > > Thanks > Ram > > > _______________________________________________ > Yale CAS mailing list > cas@tp.its.yale.edu > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
