CAS logout and cookies elimination

Steve McQueen picture Steve McQueen · Feb 24, 2012 · Viewed 11.7k times · Source

I just made a HelloWorld servlet and implemented CAS on it. I'm being able to log in without problem and CAS is setting 3 cookies in my browser, the CASGT, and 2 JSESSIONID 1 for /cas and another for /helloWorld

The problem is that then I access https://blah:8443/cas/logout, I see the logged out succesfuly screen but the cookies still are in my browser, so I'm not being loged out, I can get in again in /helloWorld without the login screen showing up.

Do you know what should I do for CAS to delete the cookies it created when I log out?

Thanks in advance

Answer

Infeligo picture Infeligo · Feb 24, 2012

CASGT cookie is set by CAS and should be unset by it. CAS logout procedure works like this:

  1. You actually go to CAS logout page. The page should know the application which you are logging out from. One way is to redirect to CAS logout page from your application, supplying the redirect-back URL as a parameter.

  2. Your cookie is erased and you are then redirected to your application via POST request.

  3. SingleSignOutFilter catches a special parameter "logoutRequest" and actually destroys the ticket/session mapping that it held from the very beginning and also invalidates current session.

In order to debug CAS, enable TRACE level logging. This way you will know if proper request was received or if session has been invalidated.

I also advice you to look at the code of org.jasig.cas.client.session package, which is quite simple.