[ https://issues.apache.org/jira/browse/KNOX-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15657282#comment-15657282 ]
Jeffrey E Rodriguez commented on KNOX-571: ------------------------------------------- Hi Summit, This is more relevant for Web Interfaces that don't use the pass through approach and still rely on Knox authentication. Some questions? 1. If a web application is using KnoxSSO, how would it logout the session? 2. If the web application uses Knox pass through, can the application still do Basic or Form authentication through Knox? 3. Can the pass through approach be used to extend the web application login module? (the application does the login but still delegates authentication to Knox - sort of authentication asertion). If this is the case then do we have an example? If we don't have an example may we need to add one. We have existing value add like BigSQL DSM that rely on basic authentication in Knox so I would like to revisit how we logout sessions. > UI Web pages should have a way to logout > ---------------------------------------- > > Key: KNOX-571 > URL: https://issues.apache.org/jira/browse/KNOX-571 > Project: Apache Knox > Issue Type: Improvement > Components: Server > Affects Versions: 0.7.0 > Environment: Redhat/Windows > Reporter: Jeffrey E Rodriguez > Fix For: Future > > Attachments: knox_logout_design.jpg > > > UI using Knox as a proxy should have a way to define a logout so Browser to > Knox session is invalidated and user is challenged for Authentication. This > is a web security requirement to prevent session hijacking attacks. > References > https://www.owasp.org/index.php/Session_hijacking_attack > https://owasp.org/index.php/Testing_for_logout_functionality_%28OTG-SESS-007%29 -- This message was sent by Atlassian JIRA (v6.3.4#6332)