requestParameters getting lost during local storage interactions in custom logout flow
cantor.2 at osu.edu
Thu Apr 11 12:33:08 EDT 2019
On 4/11/19, 11:00 AM, "users on behalf of Liam Hoekenga" <users-bounces at shibboleth.net on behalf of liamr at umich.edu> wrote:
> Would it be possible to get at the IDP session externally (from a CGI) and destroy it? It seemed like the surest way to do
> that was to go through the IDP itself.
The only supported one, yes. Names of cookies are not public API. Also, with client storage it isn't really even possible to "fully" log somebody out if they're determined to get back in, unless that data is cleaned up. It depends why somebody wants to do logout, and usually the reasons are not compatible with the actual guarantees it provides.
Logout answers questions people don't have and doesn't answer the ones they do.
> I assume that if we using client storage, we could just kill the shib_idp_session_ss cookie / storage key w/o having to tie
> into an IDP functionality.
Also, using an iframe to do it will fail when third party cookies are off.
More information about the users