On February 1, 2012 15:26 , Chris Hecker <chec...@d6.com> wrote:
> If I'm logged into a cosign protected page, and then I click a link to
> go to the logout page, then logout, I can hit the back button to go back
> to the original protected page. At first I thought this was just the
> browser cache, but I can actually click links on that page and go to
> other cosign protected pages that aren't in my cache.
>
> Looking at the headers a bit I notice the logout clears the "cosign"
> cookie, but the "cosign-blah" cookie isn't cleared.
This is normal and expected. To avoid this, and for the best logout
experience, the "link to the logout page" should clear the cosign
service cookie from the user's web browser ("cosign-blah") before
redirecting the user to the central logout page. cosign ships with two
example scripts in the scripts/logout directory that show how to do this.
> I haven't thoroughly tested this, but it seems like if I go back and hit
> refresh a while later, then it redirects to the login page like I'd expect.
This is also expected. cosign will check the validity of service
cookies with the central weblogin servers not on every access, but when
there is an access that is more than a minute since the last time the
service cookie was validated with the central weblogin servers. What
you are seeing is:
1. User uses cosign protected web site
2. User goes to central logout page and logs out
3. User returns to cosign protected service
4. It's been less than a minute since (1), so the cosign service cookie
provided by the user's browser is only validated locally; it is not
validated against the central weblogin servers
5. User continues accessing the cosign protected website until more than
1 minute has passed since (1). At that point, the cosign protected
web-site checks with the central weblogin servers again, finds that the
service cookie is not valid, and redirects the user to the login form.
What you want is:
1. User user cosign protected web site
2. User clicks logout link on cosign protected web site, which deletes
the service cookie from the user's web browser and redirects the user to
the central logout page.
3. User logs out
4. User tries to access the cosign protected web site again, but does
not have a cosign service cookie for that site, and so is immediately
redirected to the central weblogin form.
--
Mark Montague
LSA Research Systems Group
University of Michigan
markm...@umich.edu
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
