Shibboleth & Wordpress Logout

Cantor, Scott cantor.2 at
Fri Nov 9 14:47:19 EST 2012

On 11/9/12 1:29 PM, "Chris Bland" <chris at> wrote:

>I have implemented Wordpress v3.4.1 & Shibboleth SP v2.5.0 using the
>Shibboleth module.  I have observed that SP and Wordpress session cookies
>are removed if a user logs out locally on the wordpress host but the
>Wordpress session cookies remain when I logout of Shibboleth from another
>SP.  I am trying to figure out what options I have to deal with this
>security issue.

Not doing SSO would be the primary option you have.

>  Are there any settings I have overlooked?  Is there an additional
>module I don't know about?

Please review the SLOIssues topic in the wiki for background on the issue.

>  Any suggestions on dealing with this vulnerability would be appreciated.

Logout is discussed constantly on this list and you can find hundreds of
messages in the archive about it, including a dozen in the last week.

-- Scott

More information about the users mailing list