Forcing logout with NativeSP
Stephen Chan
sychan at lbl.gov
Fri Sep 30 19:16:32 BST 2011
On Fri, Sep 30, 2011 at 10:14 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> You may not clean the cookie solely based on the name. I will not
> guarantee that the name will be the same, that¹s not a public API. If you
> don't know the other cookies enough to know which are which, then no, that
> would not work.
Okay - something to consider may be an attribute like
"Shib-sessionCookies" that enumerates the cookie names, so that apps
can clear them out "surgically". On the face of it, it seems easy to
implement.
> As far as what's advisable, if you don't care about freeing the session
> from memory before it's kicked out by heuristics, then clearing the cookie
> is enough to orphan the session.
Thanks. I may just take my chances with deleting any cookies that
isn't a PHP session cookie.
Steve
More information about the users
mailing list