best practice? webapp timeout and logout when use CAS

[Yan Zhou]

Hi there, 

We have several apps using CAS 4.1.5.  Different apps have different idle session timeout setting, some timeout after 30 minutes, other 1 hour, etc. 

Two questions. 

1. when user Logout from a web app.,  it provides best user experience if the app logs out the user AND logs out CAS SSO session.  Is that correct?

Alternatively, if the app. logs out but remain in CAS SSO session, user only needs to refresh browser and he will be back to app. without login again, that sounds a little odd:  you log out but do not have to login. 

2. when user times out (idle timeout) in an app., it seems that a refresh of browser will get user back into the app.   what is the best way to implement application idle timeout?

One that I would suggest is to require all apps have the same idle CAS session timeout?  CAS default is 2 hours, but we can require all apps and CAS to agree to a value.  Is that best practice?

Anyone can lead me to some CAS best practice on this subject?

Thanks,

Yan

[Misagh Moayyed]

Hi there, 

We have several apps using CAS 4.1.5.  Different apps have different idle session timeout setting, some timeout after 30 minutes, other 1 hour, etc. 

Two questions. 

1. when user Logout from a web app.,  it provides best user experience if the app logs out the user AND logs out CAS SSO session.  Is that correct?

Personally, I would say yes. This generally leads you to turn off SLO. You may or may not want that. Ultimately, you decide what the best user experience should be. 

Alternatively, if the app. logs out but remain in CAS SSO session, user only needs to refresh browser and he will be back to app. without login again, that sounds a little odd:  you log out but do not have to login. 

Yes, because while your app session is gone, your CAS SSO session is there. Most apps typically display a logout screen describe that exact case to the user. “Dear user, you logged out…but not really!”. Of course, that might also be terribly confusing. You decide.  

2. when user times out (idle timeout) in an app., it seems that a refresh of browser will get user back into the app.   what is the best way to implement application idle timeout?

One that I would suggest is to require all apps have the same idle CAS session timeout?  CAS default is 2 hours, but we can require all apps and CAS to agree to a value.  Is that best practice?

That’s mostly what I have been discussing with folks. Synchronize timeouts across all apps, and agree on a reasonable policy. 

Anyone can lead me to some CAS best practice on this subject?

Thanks,

Yan

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.