Geek Answers Handbook

Sign out of CAS and delete cookies

I just created the HelloWorld servlet and implemented CAS on it. I can log in without problems, and CAS sets 3 cookies in my browser, CASGT and 2 JSESSIONID 1 for / cas, and the other for / helloWorld

The problem is that after that I go to https: // blah: 8443 / cas / logout , I see the completed succesfuly screen, but the cookies are still in my browser, so I'm not logged out, I can log in again in / helloWorld without displaying the login screen.

Do you know what to do to let CAS delete cookies created when you log out?

Thanks in advance

+7
source share
2 answers

CASGT cookie is set by CAS and should be disabled. The CAS logout procedure works as follows:

  • You really go to the CAS exit page. The page should know the application you are leaving. One way is to redirect to the exit page from the CAS from the application by providing the redirect URL as a parameter.

  • Your cookie will be deleted and then you will be redirected to the application via a POST request.

  • SingleSignOutFilter catches the special parameter "logoutRequest" and actually destroys the ticket / session mapping that it saved from the very beginning, and also cancels the current session.

To debug CAS, enable TRACE level logging. This way you will know if the correct request was received or if the session was invalidated.

I also advise you to look at the package code org.jasig.cas.client.session , which is pretty simple.

+6
source

You should check the documentation for one single CAS, which can be found here . It says:

Where single output works:

Clients / Languages ​​whose session management is supported on the server. CAS clients can then access session information session by session.

If single output does not work:

Clients / languages ​​whose session management consists of cookies only. CAS does not have access to browser cookies and therefore cannot terminate the session. (however closing the browser window should be done that)

And I think pretty much your case. It is not possible to execute SSout based on cookies, but if you can use a framework like Spring (as in our projects), SSout is easy to configure and comes very convenient

+3
source

More articles:


All Articles