how to handle idle timeout in App?

[Yan Zhou]

Hi,

Two webapps, both protected by CAS.  user is in both apps via SSO.

when user idle timeout kicks in, he is also logged out of CAS, i believe this is the correct behavior. Otherwise, after idle timeout, simply accessing B will get user in right away, which is a security problem. say, User walks away, app's idle timeout kicks in, but SSO session is still valid, now, some one else comes and access the app, that person would be right in B without being prompted for credentials.

this brings up another usability problem.  say, user is busy in one app A and idle in the other app B.  B's idle timeout kicks in and also logged out of CAS. User remains in A, but when he access B, he is prompted for credentials (no SSO since CAS SSO session was already terminated).

is my understanding correct?

Thanks,

Yan

[Ray Bon]

Yan,

Single logout is messy business.

Cas has a session that is independent from an application session. Cas session may be longer or shorter than an application, it may have different settings and conditions for how its length is determined.

Application participation in single log out can be set in the service definition (or disabled globally).

Cas, by default, will send a logout request to each application under a ticket granting ticket. So if user logs out of an application and it sends the user to the cas logout page, cas will try to log user out of other applications. Whether those applications honour the logout request is up to the individual application.

So if application B idles out and sends a logout to cas, then cas sends a logout request to A; If A honours that request, then user could lose unsaved work.

When you refer to 'idle timeout', are you referring to cas session or application session?

When Cas session times out (idle timeout or otherwise), the TGT is removed, no single logout takes place (nor can it take place if requested by an application).

Ray

Single Log Out is not what you think it is; and it will never do what you want.

On Mon, 2024-03-25 at 12:35 -0700, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Yan]

Thanks, i think my understanding of SLO is correct.

The apps are looking to CAS to handle synchronized idle timeout.  for instance, i am in both A and B, i switch from A to B and stays in B for one hour.  A will idle timeout, but what they want is, if A and B are both up, as long as user is active in one app., user should be active in both.  This requires some kind of session manager, which is beyond CAS.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/ODAW7-hM5Dw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c7d3fa7c1e5dff6f251addaf8246a66b67067cd.camel%40uvic.ca.