<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 9/29/11 9:36 PM, Cantor, Scott wrote:<br>
<span style="white-space: pre;">> Expiring the session is
basically just the cookie. You could walk the<br>
> set of cookies supplied to the page and clear them all. Or
perhaps<br>
> everything but the set your CMS is managing. I wouldn't ever
document<br>
> those cookies explicitly, but if you based it on the set that
the<br>
> client happened to supply you, clearing those would be
guaranteed to<br>
> include the SP cookie.</span><br>
<br>
I considered doing that earlier but wasn't sure if bypassing the
logout handler was well advised. So just clearing the cookies
containing "_shibsession_" would do the trick? I don't necessarily
know all the cookies generated by the app and its collection of
subpackages.<br>
<br>
<span style="white-space: pre;">> I don't think a feature that
"protects" a URL with a logout is<br>
> something very many people would use, but if you had in mind<br>
> something like:<br>
> <br>
> <Location /applogout> AuthType shibboleth
ShibRequestSetting<br>
> requireLogout /applogout require shibboleth </Location><br>
> <br>
> i.e. If a session exists, redirect to default LogoutInitiator
with <br>
> "return" set to the final parameter, otherwise pass request
through.<br>
> <br>
> That would be fairly simple to add. Weird, but not a major<br>
> undertaking.<br>
> <br>
> But honestly I'm not sure a rewrite isn't just as simple, and
it<br>
> works now, with all SP versions.</span><br>
<br>
A rewrite rule can do the job, but then you have to craft the
rewrite rule to take into account the actual servername being used,
the current URL you are using, any parameters passed along in the
query string. It is all easy stuff, but lots of details with
opportunities for typos, and parsing rewrite rules is less intuitive
than the sample directives you listed above.<br>
<br>
Plus, there is a certain clean symmetry to having a logout
redirect as the complement to the login redirect. But in all
honesty, if _shibsession_ cookies can be targeted, I would happily
avoid having to redirect the browser.<br>
<br>
Steve<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iEYEARECAAYFAk6FaMkACgkQcVd2YI1BWAjAhwCcDeQnq0KJ7diF62y2JQZ/bGYH<br>
rqUAoI/cK89rDS4pfbpsfZNNAB8+lbGX<br>
=GH7d<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>