Forcing logout with NativeSP

Stephen Chan sychan at lbl.gov
Fri Sep 30 07:59:21 BST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/29/11 9:36 PM, Cantor, Scott wrote:
> Expiring the session is basically just the cookie. You could walk the
> set of cookies supplied to the page and clear them all. Or perhaps
> everything but the set your CMS is managing. I wouldn't ever document
> those cookies explicitly, but if you based it on the set that the
> client happened to supply you, clearing those would be guaranteed to
> include the SP cookie.

   I considered doing that earlier but wasn't sure if bypassing the
logout handler was well advised. So just clearing the cookies containing
"_shibsession_" would do the trick? I don't necessarily know all the
cookies generated by the app and its collection of subpackages.

> I don't think a feature that "protects" a URL with a logout is
> something very many people would use, but if you had in mind
> something like:
>
> <Location /applogout> AuthType shibboleth ShibRequestSetting
> requireLogout /applogout require shibboleth </Location>
>
> i.e. If a session exists, redirect to default LogoutInitiator with
> "return" set to the final parameter, otherwise pass request through.
>
> That would be fairly simple to add. Weird, but not a major
> undertaking.
>
> But honestly I'm not sure a rewrite isn't just as simple, and it
> works now, with all SP versions.

   A rewrite rule can do the job, but then you have to craft the rewrite
rule to take into account the actual servername being used, the current
URL you are using, any parameters passed along in the query string. It
is all easy stuff, but lots of details with opportunities for typos, and
parsing rewrite rules is less intuitive than the sample directives you
listed above.

   Plus, there is a certain clean symmetry to having a logout redirect
as the complement to the login redirect. But in all honesty, if
_shibsession_ cookies can be targeted, I would happily avoid having to
redirect the browser.

   Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6FaMkACgkQcVd2YI1BWAjAhwCcDeQnq0KJ7diF62y2JQZ/bGYH
rqUAoI/cK89rDS4pfbpsfZNNAB8+lbGX
=GH7d
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110929/dfbd6d2b/attachment.html

More information about the users mailing list