Hi Andrew, Hmm, something is going on, but not quite sure. A little more detail: * my sso service runs on https://sso.example.com * the cosign protected service lives at https://portal.example.com The following service is defined in cosign.conf: service cosign-portal https://portal.example.com/cosign/valid 0 mod_cosign-1
Looking at the headers, there are 2 cookies: "cosign" and "cosign-portal". The first I can clear and the second is not clearing for some reason and that's causing the issue I guess. Here's what happens when logging in: First you see the "cosign" cookie being set, followed by the "cosign-portal" cookie. https://portal.example.com/ HTTP/1.1 200 OK Date: Thu, 19 Apr 2012 13:55:09 GMT Server: Apache/2.2.15 (Red Hat) Expires: Mon, 16 Apr 1973 13:10:00 GMT Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Pragma: no-cache Set-Cookie: cosign=jwi0GaTfRgt53dONVWnR8xeWN5HFGR0EW5mcqNvK95zdqPhLAkYdPEERwUxMuC1oibEDUg5e-PBvUZB5jowDkiPb5BvxpfYM9MlKkBCVJGflfLIy+VMMClXXW0XJ/1334843709; path=/; secure Last-Modified: Mon, 16 Apr 1973 13:10:00 GMT Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 ---------------------------------------------------------- https://portal.example.com/cosign/valid?cosign-portal=Vas5QyYTGE3u5CPzxhUYOIJjsXdodC4F7vYkrxrZX4UGY9CTTSNyR3xiQMGS+dGLKqkCzgRtXabDmpdtwvZpJqB-Ssu2ucNvDKkkJuhgqTcT2g9V0SXrLYbwZlUZ&https://portal.example.com/ GET /cosign/valid?cosign-portal=Vas5QyYTGE3u5CPzxhUYOIJjsXdodC4F7vYkrxrZX4UGY9CTTSNyR3xiQMGS+dGLKqkCzgRtXabDmpdtwvZpJqB-Ssu2ucNvDKkkJuhgqTcT2g9V0SXrLYbwZlUZ&https://portal.example.com/ HTTP/1.1 Host: portal.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: keep-alive Referer: https://sso.example.com/cosign-bin/cosign.cgi?cosign-portal&https://portal.example.com/ HTTP/1.1 301 Moved Permanently Date: Thu, 19 Apr 2012 13:55:17 GMT Server: Apache/2.2.15 (Red Hat) Set-Cookie: cosign-portal=4vJejAnDM0ZzekyO762cZ4w94TS3nQHPfi3uwQKGq+Jltt4d8CWLhHvmN0IXpEK6hMerfTHAS6eanOi4rV9WFZvlnsgpXBIWS6HcvsiyHDZIX7SWJDRNpJtiAsVF/1334843717; path=/; secure Location: https://portal.example.com/ Content-Length: 331 Connection: close Content-Type: text/html; charset=iso-8859-1 To see what's what I put the following lines in https://portal.example.com/logout.php: setcookie(cosign, "null", time()-3600, '/', "", TRUE ); setcookie(cosign-portal, "null", time()-3600, '/', "", TRUE ); When I open the logout.php page, this happens: GET /logout.php HTTP/1.1 Host: portal.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: keep-alive Referer: https://portal.example.com/ Cookie: cosign-portal=4vJejAnDM0ZzekyO762cZ4w94TS3nQHPfi3uwQKGq+Jltt4d8CWLhHvmN0IXpEK6hMerfTHAS6eanOi4rV9WFZvlnsgpXBIWS6HcvsiyHDZIX7SWJDRNpJtiAsVF/1334843717 HTTP/1.1 302 Found Date: Thu, 19 Apr 2012 13:55:26 GMT Server: Apache/2.2.15 (Red Hat) X-Powered-By: PHP/5.3.3 Set-Cookie: cosign=null; expires=Thu, 19-Apr-2012 12:55:26 GMT; path=/; secure Set-Cookie: 0=null; expires=Thu, 19-Apr-2012 12:55:26 GMT; path=/; secure Location: https://sso.example.com/cosign-bin/logout Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 For some reason it can set the "cosign" cookie, but it can't find the "cosign-portal" cookie (I think that's where the 0 comes from), so it stays present in my browser. Any ideas? Thanks! Regards, -- Guus Houtzager | Project Resource Center | R21 Infrastructure Services T. +31 30 689 10 51 | M. +31 6 27 159 035 http://www.nl.capgemini.com > -----Original Message----- > From: Andrew Mortensen [mailto:and...@weblogin.org] > Sent: woensdag 18 april 2012 10:24 > To: Houtzager, Guus > Cc: cosign-discuss@lists.sourceforge.net > Subject: Re: [Cosign-discuss] Logout issue > > This looks OK. Can you confirm (using something like Firefox's Live > HTTP Headers add-on) that the Set-Cookie contains the values you > expect? After you've been redirected to the global logout page, check > your cookies to see that the service cookie's actually invalidated. > > andrew > > > On Apr 17, 2012, at 5:01 PM, Houtzager, Guus wrote: > > > Hi, > > > > Sorry to bother you again, but I've got an issue with the logout > procedure. I'm running into the issue of the filter cache, so after > doing logout I can still get in within a small time period. I've read > the FAQ but still can't quite get it to work. I hope you can point me > in the right direction. > > > > I created a logout script, accessible at > https://sso.example.com/logout.php. Content is similar as to the > provided script in the distribution: > > <?php > > /* change 'central' to the url of your weblogin server */ > > $central = "https://sso.example.com/cosign-bin/logout";; > > $service_name = $_SERVER['COSIGN_SERVICE']; > > > > setcookie($service_name, '', 1, '/', '', false, true ); > > > > /* make any local additions here (e.g. expiring local sessions, > etc.), > > but it's important that there be no output on this page. */ > > > > header( "Location: $central" ); > > exit; > > ?> > > > > From the distribution I've modified the verify-logout.html template, > but it still contains: > > <form name="f" method="post" action="/cosign-bin/logout"> > > <h1>Log Out</h1> > > <p>You are about to log out of <a > href="/services/">all weblogin applications</a>. > > Are you sure you want to do this?</p> > > <p> > > <input type="button" id="back" value="Go > Back" /> > > <input type="submit" id="logout" > name="verify" value="Log Out" /> > > </p> > > <div class="redirect">After logout your browser > > will redirect to: $u</div> > > <input type="hidden" name="url" value="$u" /> > > </form> > > > > In cosign.conf I've got this line to redirect to a different page > after logout: > > set cosignlogouturl https://sso.example.com/loggedout.html > > Which does lists the services available behind cosign, nothing > special. > > > > If I start on the logout.php page, it directs nicely to the cosign- > bin/logout page, and after I press the Submit button, it directs me to > the loggedout.html. So I think the flow is doing what it should. > > > > I thought this should do the trick, but it doesn't. Any suggestions? > > > > Regards, > > > > -- > > Guus Houtzager | Project Resource Center | R21 Infrastructure > Services > > T. +31 30 689 10 51 | M. +31 6 27 159 035 http://www.nl.capgemini.com > > > > > > > > > > > > > > > > > > > > This message contains information that may be privileged or > > confidential and is the property of the Capgemini Group. It is > > intended only for the person to whom it is addressed. If you are not > > the intended recipient, you are not authorized to read, print, > retain, > > copy, disseminate, distribute, or use this message or any part > > thereof. If you receive this message in error, please notify the > > sender immediately and delete all copies of this message. > > --------------------------------------------------------------------- > - > > -------- Better than sec? Nothing is better than sec when it comes to > > monitoring Big Data applications. Try Boundary one-second resolution > > app monitoring today. Free. > > http://p.sf.net/sfu/Boundary- > dev2dev__________________________________ > > _____________ > > Cosign-discuss mailing list > > Cosign-discuss@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/cosign-discuss This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
