DISSESSIONAuthnDelegation Cookie Not Cleared on Logout

[Bobby Esfandiari]

Recently I noticed that CAS would attempt to perform a delegated auth logout by redirecting to external identity provider, even though the user was authenticated via our database.

I have CAS 7.0.4 set up for database authentication as well as delegated auth to Azure.

This issue led me to the discovery of the DISSESSIONAuthnDelegation cookie which if present, seems to cause logouts to go through the delegated auth flow. Otherwise, things proceed normally.

I tracked the creation of the cookie to DelegatedAuthenticationEventExecutionPlanConfiguration.java, but I cannot find it referenced in the docs. I'm also unable to find any configuration to clean it up properly. Since it is set to http only, I also cannot manually remove it using javascript.

Any help/info would be appreciated.

[Florian Nari]

I had noticed the same problem (and so configured `Header add Set-Cookie "DISSESSIONAuthnDelegation=\"\"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas"` in the apache proxy)

But now in 7.1.5, the apache conf is no longer necessary and I get `set-cookie DISSESSIONAuthnDelegation=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/cas; Secure; HttpOnly ` when I logout