Invalidate all sessions for a user identity
Scott Battaglia
scott.battaglia at gmail.com
Wed Jan 21 22:44:59 EST 2009
Sessions stored in CAS are not keyed on user. They're keyed off their
unique key (by design). Logging out merely destroys that particular CAS
session (and if an application is Single Sign Out enabled, those
applications too).
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Tue, Jan 20, 2009 at 7:19 PM, Pål Axelsson <Pal.Axelsson at its.uu.se>wrote:
> Hi again,
>
> The backend for CAS is handled of course in occasions as described and
> application that support Single Sign Off is too few. A lot of them on the
> other hand "recasifies" the user now and then to check that the session is
> still valid. So what we want to do is to invalidate all sessions for a
> specific user identity, together with an single sign off request for every
> session.
>
> /Pål
>
> -----Ursprungligt meddelande-----
> Från: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] För
> William G. Thompson, Jr.
> Skickat: den 20 januari 2009 19:54
> Till: Yale CAS mailing list
> Ämne: Re: Invalidate all sessions for a user identity
>
> Pål,
>
> Can you be more specific regarding the "active sessions"? Are these
> application sessions that have been created after a users has been
> authenticated via CAS?
>
> If the credentials are known to be compromised (social engineering or
> otherwise) you'd want to prevent further use of them, likely by
> controlling them at the primary authentication source (LDAP, Kerberos,
> etc).
>
> If you have deployed Single Sign Out, you could potentially customize
> CAS with an administrative feature that would call out to active
> application sessions and log off a specified user. Out of the box
> this is not available.
>
> Bill
> --
> William G. Thompson, Jr.
> Senior Technologist - Development Information Systems
> Office of Development, Princeton University
> voice: 609.258.2655 | wthompso at princeton.edu
>
>
> On Tue, Jan 20, 2009 at 10:08 AM, Pål Axelsson <Pal.Axelsson at its.uu.se>
> wrote:
> > Hi,
> >
> >
> >
> > Our IRT team has come up with a question that I can't find the answer
> for.
> >
> >
> >
> > Is't possible to invalidate all active sessions for a specific user
> > identity?
> >
> >
> >
> > If one of our users account is hijacked for example y social engineering
> we
> > want to remove all active sessions for that user identity in a simple and
> > controlled way. Is that possible?
> >
> >
> >
> > Pål Axelsson
> >
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090121/012aafdd/attachment.html
More information about the cas
mailing list