requestParameters getting lost during local storage interactions in custom logout flow

Cantor, Scott cantor.2 at
Thu Apr 11 12:33:08 EDT 2019

On 4/11/19, 11:00 AM, "users on behalf of Liam Hoekenga" <users-bounces at on behalf of liamr at> wrote:

> Would it be possible to get at the IDP session externally (from a CGI) and destroy it?  It seemed like the surest way to do
> that was to go through the IDP itself.

The only supported one, yes. Names of cookies are not public API. Also, with client storage it isn't really even possible to "fully" log somebody out if they're determined to get back in, unless that data is cleaned up. It depends why somebody wants to do logout, and usually the reasons are not compatible with the actual guarantees it provides.

Logout answers questions people don't have and doesn't answer the ones they do.

> I assume that if we using client storage, we could just kill the shib_idp_session_ss cookie / storage key w/o having to tie
> into an IDP functionality.

Not technically.

Also, using an iframe to do it will fail when third party cookies are off.

-- Scott

More information about the users mailing list