IDP logout.jsp

Paul Hethmon paul.hethmon at
Tue Nov 13 13:11:22 EST 2012

The two are orthogonal. A session will always be created, it may not
always be honored. A PreviousSession handler is necessary to honor any
session that might exist.

If you want to kill the user's session with the IdP, then you need to kill
the cookie. It's brute force, not officially supported, but it works.

Then you put up a page with both the blink and marquee tags telling the
user to close their browser. And hope.


On 11/13/12 1:07 PM, "Andrew Morgan" <morgan at> wrote:

>On Tue, 13 Nov 2012, Cantor, Scott wrote:
>> On 11/13/12 12:48 PM, "Andrew Morgan" <morgan at> wrote:
>>> If I turn off the PreviousSession Handler, will Shibboleth stop using
>>> IDP cookie, or does the IDP cookie have another purpose?
>> It means whether there's a session or not, it's not going to bypass any
>> login handlers.
>Sorry, I don't understand what you mean there.  Let me rephrase...  If I
>turn off the PreviousSession handler, is the "_idp_session" cookie still
>used?  If the cookie is still used, what is it used for?
> 	Andy
>To unsubscribe from this list send an email to
>users-unsubscribe at

More information about the users mailing list