On February 1, 2012 15:26 , Chris Hecker <chec...@d6.com> wrote: > If I'm logged into a cosign protected page, and then I click a link to > go to the logout page, then logout, I can hit the back button to go back > to the original protected page. At first I thought this was just the > browser cache, but I can actually click links on that page and go to > other cosign protected pages that aren't in my cache. > > Looking at the headers a bit I notice the logout clears the "cosign" > cookie, but the "cosign-blah" cookie isn't cleared.
This is normal and expected. To avoid this, and for the best logout experience, the "link to the logout page" should clear the cosign service cookie from the user's web browser ("cosign-blah") before redirecting the user to the central logout page. cosign ships with two example scripts in the scripts/logout directory that show how to do this. > I haven't thoroughly tested this, but it seems like if I go back and hit > refresh a while later, then it redirects to the login page like I'd expect. This is also expected. cosign will check the validity of service cookies with the central weblogin servers not on every access, but when there is an access that is more than a minute since the last time the service cookie was validated with the central weblogin servers. What you are seeing is: 1. User uses cosign protected web site 2. User goes to central logout page and logs out 3. User returns to cosign protected service 4. It's been less than a minute since (1), so the cosign service cookie provided by the user's browser is only validated locally; it is not validated against the central weblogin servers 5. User continues accessing the cosign protected website until more than 1 minute has passed since (1). At that point, the cosign protected web-site checks with the central weblogin servers again, finds that the service cookie is not valid, and redirects the user to the login form. What you want is: 1. User user cosign protected web site 2. User clicks logout link on cosign protected web site, which deletes the service cookie from the user's web browser and redirects the user to the central logout page. 3. User logs out 4. User tries to access the cosign protected web site again, but does not have a cosign service cookie for that site, and so is immediately redirected to the central weblogin form. -- Mark Montague LSA Research Systems Group University of Michigan markm...@umich.edu ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss