Re: [cas-user] Logout using phpCAS
That's what I thought, but the documentation (https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the logout() method will kill the current PHP session. So that assumes they application does not need to call session_destroy(). But if they do call session_destroy() before the phpCAS::logout(), will that cause any issues with the logout? I'd test it out myself, but I don't have access to the application, nor any current PHP applications to test with at the moment. On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 9:28:51 AM Subject: [cas-user] Logout using phpCAS We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: benjamin.cher...@villanova.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Logout using phpCAS
So terminating session did not work, but we found the problem and solution. It seems phpCAS sets a cookie with the ticket when you login. The vendor created the page 'login.php', and the cookie was session_for:login.php. Then on logout another cookie was set with the name session_for:logout.php. Removing the session_for:login.php cookie disabled the auto login to the login.php and prompted for CAS credentials. -Ben From: Mike Seiler michaelsei...@fuller.edumailto:michaelsei...@fuller.edu Reply-To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Date: Thursday, February 19, 2015 at 11:05 AM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: Re: [cas-user] Logout using phpCAS Ben, I have several PHP applications. The only way that I've found to completely kill the local application session is to explicitly set the local PHP session to null and destroy it, then call the phpCAS::logout() method. This ensures that any additional attempts to log in to the local application require authentication through CAS. session_destroy() only kills a current session if one has started, so that means that you have the odd requirement of calling session_start() just to call session_destroy() session_start(); session_destroy(); // If you really want to make sure it all dies $_SESSION= null; phpCAS::logout(); Mike On Thu, Feb 19, 2015 at 7:56 AM, Waldbieser, Carl waldb...@lafayette.edumailto:waldb...@lafayette.edu wrote: Ben, I am not sure, as I don't have the code in front of me at the moment, but calling phpCAS::logout() essentially should stop the current execution and redirect you to the logout URL on your CAS server. If you need to work around a bug, you could probably kill the local session and do the redirect directly in PHP. Thanks, Carl - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edumailto:benjamin.cher...@villanova.edu To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 10:12:45 AM Subject: Re: [cas-user] Logout using phpCAS That's what I thought, but the documentation (https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the logout() method will kill the current PHP session. So that assumes they application does not need to call session_destroy(). But if they do call session_destroy() before the phpCAS::logout(), will that cause any issues with the logout? I'd test it out myself, but I don't have access to the application, nor any current PHP applications to test with at the moment. On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edumailto:waldb...@lafayette.edu wrote: Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edumailto:benjamin.cher...@villanova.edu To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 9:28:51 AM Subject: [cas-user] Logout using phpCAS We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: waldb...@lafayette.edumailto:waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: benjamin.cher...@villanova.edumailto:benjamin.cher...@villanova.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: waldb...@lafayette.edumailto:waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed
Re: [cas-user] Logout using phpCAS
Ben, I have several PHP applications. The only way that I've found to completely kill the local application session is to explicitly set the local PHP session to null and destroy it, then call the phpCAS::logout() method. This ensures that any additional attempts to log in to the local application require authentication through CAS. session_destroy() only kills a current session if one has started, so that means that you have the odd requirement of calling session_start() just to call session_destroy() session_start(); session_destroy(); // If you really want to make sure it all dies $_SESSION= null; phpCAS::logout(); Mike On Thu, Feb 19, 2015 at 7:56 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, I am not sure, as I don't have the code in front of me at the moment, but calling phpCAS::logout() essentially should stop the current execution and redirect you to the logout URL on your CAS server. If you need to work around a bug, you could probably kill the local session and do the redirect directly in PHP. Thanks, Carl - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 10:12:45 AM Subject: Re: [cas-user] Logout using phpCAS That's what I thought, but the documentation (https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the logout() method will kill the current PHP session. So that assumes they application does not need to call session_destroy(). But if they do call session_destroy() before the phpCAS::logout(), will that cause any issues with the logout? I'd test it out myself, but I don't have access to the application, nor any current PHP applications to test with at the moment. On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 9:28:51 AM Subject: [cas-user] Logout using phpCAS We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: benjamin.cher...@villanova.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michaelsei...@fuller.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- *Michael Seiler* -- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 michaelsei...@fuller.edu *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Logout using phpCAS
Ben, I am not sure, as I don't have the code in front of me at the moment, but calling phpCAS::logout() essentially should stop the current execution and redirect you to the logout URL on your CAS server. If you need to work around a bug, you could probably kill the local session and do the redirect directly in PHP. Thanks, Carl - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 10:12:45 AM Subject: Re: [cas-user] Logout using phpCAS That's what I thought, but the documentation (https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the logout() method will kill the current PHP session. So that assumes they application does not need to call session_destroy(). But if they do call session_destroy() before the phpCAS::logout(), will that cause any issues with the logout? I'd test it out myself, but I don't have access to the application, nor any current PHP applications to test with at the moment. On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote: Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 9:28:51 AM Subject: [cas-user] Logout using phpCAS We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: benjamin.cher...@villanova.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Logout using phpCAS
We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Logout using phpCAS
Ben, Likely, you also have some kind of PHP session for the application. = Generally speaking, logging out of CAS SSO does *NOT* log you out of any application sessions. = So you might want to clear any normal PHP session prior to calling `phpCAS::logout()`. Thanks, Carl Waldbieser ITS System Programmer Lafayette College - Original Message - From: Benjamin Cherian benjamin.cher...@villanova.edu To: cas-user@lists.jasig.org Sent: Thursday, February 19, 2015 9:28:51 AM Subject: [cas-user] Logout using phpCAS We have a vendor using phpCAS to implement SSO with our CAS server. They created a custom login page to handle CAS. Login works fine, but logout is currently an issue. Currently when we logout, phpCAS::logout() is called and we are redirected to the CAS logout page. When I try to go to any URL within the application, I'm not logged in. When I go to another CAS enabled application, I am not logged in. But when I go back to the custom CAS login page, I am logged back in without being prompted for login credentials. No interaction occurs between the application and the CAS servers, so it is all within the client and the application at this point of re-entry. Is this acceptable behavior for CAS, or is there something more that needs to be done to be fully logged out of the application? Thanks, Ben -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user