paul.hethmon at clareitysecurity.com
Tue Nov 13 13:11:22 EST 2012
The two are orthogonal. A session will always be created, it may not
always be honored. A PreviousSession handler is necessary to honor any
session that might exist.
If you want to kill the user's session with the IdP, then you need to kill
the cookie. It's brute force, not officially supported, but it works.
Then you put up a page with both the blink and marquee tags telling the
user to close their browser. And hope.
On 11/13/12 1:07 PM, "Andrew Morgan" <morgan at orst.edu> wrote:
>On Tue, 13 Nov 2012, Cantor, Scott wrote:
>> On 11/13/12 12:48 PM, "Andrew Morgan" <morgan at orst.edu> wrote:
>>> If I turn off the PreviousSession Handler, will Shibboleth stop using
>>> IDP cookie, or does the IDP cookie have another purpose?
>> It means whether there's a session or not, it's not going to bypass any
>> login handlers.
>Sorry, I don't understand what you mean there. Let me rephrase... If I
>turn off the PreviousSession handler, is the "_idp_session" cookie still
>used? If the cookie is still used, what is it used for?
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
More information about the users