[cas-dev] CAS logout

Jennifer Yang jyoonyang at gmail.com
Wed Jul 26 14:59:57 EDT 2006 

Another followup question.

So if we have multiple apps linked with CAS SSO, cas/logout kills single
sign on session.  However, how can I kill all the apps already signed in
previously with CAS before the logout?  If CAS can determine if a single
sign on session is valid or not, can't our app query CAS?  But this seems
expensive that the app needs to query CAS for each access...  Any suggestion
as to how to implement single sign OFF?

Thanks,
Jennifer


On 7/26/06, Jennifer Yang <jyoonyang at gmail.com> wrote:
>
> I must have used http.  I thought I tried https.  :-)
> It works with https.  Thank you!!
>
> Out of curiousity, how does CAS validate multiple apps?  Initially, I
> thought it validated the ticket issued at initial sign on, but looking at
> the log, it seems to issue different ticket for each app.
>
> Another question.  Is there any way to run CAS in non-SSL mode?
>
> Thanks,
> --Jennifer
>
>
> On 7/26/06, Scott Battaglia < scott_battaglia at rutgers.edu> wrote:
> >
> > Logging out of CAS is designed to kill your single sign on session (not
> > your individual application sessions) so that if you try and access
> > another CASified application (that you haven't logged into yet) you will
> > be prompted for your credentials again.
> >
> > CAS uses secure cookies however, so if you access the Logout page via
> > http instead of https your cookie will not be destroyed as it was never
> > sent to the server.
> >
> > -Scott
> >
> >
> > Kris Melotte wrote:
> > > Is there a difference regarding logout when you are using http versus
> > > https?
> > >
> > > I thought that the fact you can still login after the logout to an
> > > (authenticated) application is because the JA-SIG client does not
> > check
> > > anymore with the CAS server after validation of the initial ticket.
> > >
> > > As the authentication information is already in the session of the SSO
> > > authenticated application, the filter will pass you through without
> > > checking again with the CAS server if the SSO is still valid.
> > >
> > > I thought that this behavior was the reason why the cas logout page
> > > mentions to "exit your browser for security reasons"?
> > >
> > > Regards,
> > > Kris
> > >
> > > -----Original Message-----
> > > From: cas-dev-bounces at tp.its.yale.edu
> > > [mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia
> > > Sent: Wednesday, July 26, 2006 2:16 PM
> > > To: Mailing list for CAS developers
> > > Subject: Re: [cas-dev] CAS logout
> > >
> > > Jennifer,
> > >
> > > Did you access the logout page via http or https?
> > >
> > > -Scott
> > >
> > > Jennifer Yang wrote:
> > >
> > >
> > >> Hello,
> > >>
> > >> I am trying to implement logout.
> > >>
> > >> I found the following thread, but I am not seeing the same behavior.
> > >> http://tp.its.yale.edu/pipermail/cas/2005-February/001010.html
> > >>
> > >> According to this, hitting /cas/logout should prevent the previously
> > >> authenticated user from accessing another webapp without signing on
> > >> again.  Here is what I tried and the behavior.
> > >>
> > >> I have two webapps (using jsp-examples and servlet-examples supplied
> > >> by Tomcat) both setup to use CASFilter.
> > >>
> > >> 1. I enter one of the jsp-examples url in the browser.
> > >> 2. I get JA-SIG login page and I log in successfully.
> > >> 3. I get redirected to the jsp-examples I was trying access in step
> > 1.
> > >> 4. I logoff via /cas/logout and get a JA-SIG "successfully logged
> > >>
> > > off".
> > >
> > >> 5. I enter one of the servlet-examples (a different webapp from step
> > >> 1).  I expected to get another JA-SIG login page, but I get my
> > >> servlet-examples without being re-authenticated.
> > >>
> > >> Am I missing something?
> > >>
> > >> Also, what is the best way to implement single-sign-out?
> > >>
> > >> Thanks very much!
> > >> --Jennifer
> > >>
> > >>
> > -----------------------------------------------------------------------
> > >>
> > > -
> > >
> > >> _______________________________________________
> > >> cas-dev mailing list
> > >> cas-dev at tp.its.yale.edu
> > >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >>
> > >>
> > >>
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> > >
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20060726/bbb5a160/attachment.html

More information about the cas-dev mailing list