CAS Logout question Followup
tedzo
tedzo2003 at yahoo.com
Fri Jan 23 01:41:32 EST 2009
Ram,
I guess you are using the Yale CAS client. If that is so, I think the behavior you describe is how it works. You login to a webapp and navigate to another webapp unchallenged. Then you logout of second webapp successfully by dstroying thee session an redirecting to CAS logut url. However your session with the first webapp is still valid because no one destroyed that session. Hence, you will be able to simple navigate back to the first webapp unchallenged. Thats how it works for us. Thats also one of the reasons why we are moving to version 3 of the client which supports the single logout feature.
Hope that helps.
________________________________
From: Ramakrishnan Iyer <riyer at kumc.edu>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Thursday, January 22, 2009 11:46:20 AM
Subject: Re: CAS Logout question Followup
Bill:
>Are you simply trying to log the user out of the Application? If so,
>you need to invalidate the Application Session at the Application
>layer. This is independent of CAS.
If you also want to end the CAS SSO Session, then you redirect to
CAS/logout after the Application Session is invalidated. Clear? In
a general Enterprise SSO deployment, you would not redirect to
CAS/logout, since this would defeat the purpose of SSO.
>From your example, it sounds like may still have the first users
Application Session active...which would be true if you only did a
CAS/logout.
session.invalidate();
response.sendRedirect("https://xxxx/logout");
In my app module, after a login, I check
userId = (String)session.getAttribute("edu.yale.its.tp.cas.client.filter.user");
Although the first user signed off, and the second userid signed on, here it still brings back the first userid.
Thanks
Ram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090122/934189c6/attachment.html
More information about the cas
mailing list