Shib SP: how to prevent the user from initiating logout by entering URL in address bar?

Andrew Webb andrew.webb at statpro.com
Wed Jun 11 12:37:59 EDT 2014


A user can enter
https://mywebsite.domain.com/Shibboleth.sso/Logout?return=https%3a%2f%2Fwww.google.com%2f
in the address bar (or click on a link with this URL) to initiate a logout
from an SP.

How to prevent this?

Can (for example) the Shibboleth.sso/Logout endpoint be made to support POST
only, and not GET?


Andrew





--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Shib-SP-how-to-prevent-the-user-from-initiating-logout-by-entering-URL-in-address-bar-tp7601911.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.


More information about the users mailing list