Ted:
I will do what you suggested. It is unexpected. I will let you know.
Thanks
Ram
>>> tedzo <tedzo2...@yahoo.com> 1/23/2009 8:05 PM >>>
Hmm, that would be very strange and very bad. That doesn't happen for
us. The only additional step I take is a call to response.flushBuffer()
after sendredirect().
Are you sure you have the first user logged in the second time around?
In case you haven't, you should turn logs and watch CAS state that a
ticket was issued for the user2 for service <whatever>.
From: Ramakrishnan Iyer <ri...@kumc.edu>
To: Yale CAS mailing list <cas@tp.its.yale.edu>
Sent: Friday, January 23, 2009 6:16:46 AM
Subject: CAS Logout question Followup 2
Hi Ted:
Yes, I am using Yale CAS client. I am login in to a webapp but not
going to another webapp. I just logout and the second user, who is
signing on to the same webapp through my machine, does get challenged.
However, after the second user passes it, he/she is into the webapp but
with my permissions. All indications are the user logged on to my
webapp. I thought when I sign off
session.invalidate();
response.sendRedirect("https://xxxx/logout";);
and close the browser, the new user should not be on my session that
was already invalidated and logged out of.
Thanks for your suggestion.
Sincerely
Ram
>>> tedzo <tedzo2...@yahoo.com> 1/23/2009 12:41 AM >>>
Ram,
I guess you are using the Yale CAS client. If that is so, I think the
behavior you describe is how it works. You login to a webapp and
navigate to another webapp unchallenged. Then you logout of second
webapp successfully by dstroying thee session an redirecting to CAS
logut url. However your session with the first webapp is still valid
because no one destroyed that session. Hence, you will be able to simple
navigate back to the first webapp unchallenged. Thats how it works for
us. Thats also one of the reasons why we are moving to version 3 of the
client which supports the single logout feature.
Hope that helps.
From: Ramakrishnan Iyer <ri...@kumc.edu>
To: Yale CAS mailing list <cas@tp.its.yale.edu>
Sent: Thursday, January 22, 2009 11:46:20 AM
Subject: Re: CAS Logout question Followup
Bill:
>Are you simply trying to log the user out of the Application? If so,
>you need to invalidate the Application Session at the Application
>layer. This is independent of CAS.
If you also want to end the CAS SSO Session, then you redirect to
CAS/logout after the Application Session is invalidated. Clear? In
a general Enterprise SSO deployment, you would not redirect to
CAS/logout, since this would defeat the purpose of SSO.
>From your example, it sounds like may still have the first users
Application Session active...which would be true if you only did a
CAS/logout.
session.invalidate();
response.sendRedirect("https://xxxx/logout";);
In my app module, after a login, I check
userId = (String)session.getAttribute("edu.yale.its.tp (
http://edu.yale.its.tp.cas.client.filter.us
).cas.client.filter.user");
Although the first user signed off, and the second userid signed on,
here it still brings back the first userid.
Thanks
Ram
_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
