Forcing logout with NativeSP

Stephen Chan sychan at
Fri Sep 30 19:16:32 BST 2011

On Fri, Sep 30, 2011 at 10:14 AM, Cantor, Scott <cantor.2 at> wrote:
> You may not clean the cookie solely based on the name. I will not
> guarantee that the name will be the same, that¹s not a public API. If you
> don't know the other cookies enough to know which are which, then no, that
> would not work.

   Okay - something to consider may be an attribute like
"Shib-sessionCookies" that enumerates the cookie names, so that apps
can clear them out "surgically". On the face of it, it seems easy to

> As far as what's advisable, if you don't care about freeing the session
> from memory before it's kicked out by heuristics, then clearing the cookie
> is enough to orphan the session.

   Thanks. I may just take my chances with deleting any cookies that
isn't a PHP session cookie.


More information about the users mailing list