[cas-dev] Single Sign out with Domain Cookies

Trenton D. Adams trenta at athabascau.ca
Wed Mar 19 18:20:44 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Guys,

Kind of brain storming here...

I'm just curious if anyone has thought of doing single sign out with
domain cookies, as opposed to the current method in CAS 3.2?  i.e. All
services use domain cookies, and CAS expires them all upon logout.

One would have to implicitly trust every server in the domain.  If you
can't do that, then this would not work for you.

Are there any potential security issues that you can think of with this?
~ Obviously we won't make the CAS cookie a domain cookie!!!

Any reasons for or against such a mechanism?

I can think of one reason why the current CAS method may be better in at
least one instance.  I'm assuming that CAS does callbacks to clients
when it's TGTs timeout from inactivity (in addition to forcing a
logout), is that correct?  If so, that is one feature that is desirable,
that domain cookies would not have.  Perhaps combining the two features
may be desirable?  i.e. Languages that don't support the client callback
would make domain cookies, which CAS would delete upon logout.


FYI: This domain cookie mechanism would not work with servlet based
applications, without a little work.  But, I'm assuming there is a Java
CAS client that already supports the CAS 3.2 single sign out???  Anyhow,
the Java Servlet spec requires cookies to be named JSESSIONID.  I'm not
sure if this is the case with any other CSo, servlet containers do not
allow you to change the cookie name.  Or should I say tomcat does not,
as it is a reference implementation.  Perhaps others do.  So, something
would have to sit in front of each servlet context, and rename
JSESSIONID to a configured name (not the context name as it could be in
the root '/'), going both in and out, and the path would also need to be
manipulated going to the browser.

- --
Trenton D. Adams
Systems Analyst/Web Software Engineer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH4ZG8y1ltpSlXkf8RAjYlAKCB7bDU8aluk4Vu9SJ+ZKf/xGizkwCfRCmC
wQxjyv4FzB+aUXHqc/IONnw=
=vd23
-----END PGP SIGNATURE-----

__ 
    This communication is intended for the use of the recipient to whom it
    is addressed, and may contain confidential, personal, and or privileged
    information. Please contact us immediately if you are not the intended
    recipient of this communication, and do not copy, distribute, or take
    action relying on it. Any communications received in error, or
    subsequent reply, should be deleted or destroyed.
---

More information about the cas-dev mailing list