1

I am using phpCAS (v 1.3.2) on my app. I wanted to do a periodic check against the CAS server to determine if the user has been logged out by other participating SSO apps. However, whenever I do a phpCAS::checkAuthentication() or phpCAS::forceAuthentication(), it would always return authenticated even if some other apps already logged out or even if I do a direct logout with the CAS server's logout url/link. I see that it is because the local session is still present, so it does not bother to do a check against the server. Is it the responsibility of the other apps to destroy this session?

The other way is working perfectly - that is, I do a logout on my app (w/c is using phpCAS) then I also get logged off with the other participating sso apps and even at the server's portal. By the way, I have tried all examples the CAS library provided. None worked.

What am I missing ?

turkongwalayr
  • 33
  • 1
  • 7

1 Answers1

2

Instead of actively checking the CAS server, you should listen for notifications from the CAS server that a user has logged out. To do this, you need to implement single sign out. There is an example of how to do this in phpCAS: simply add phpCAS::handleLogoutRequests(false); to your login script, before the call to phpCAS::forceAuthentication().

jake stayman
  • 1,687
  • 13
  • 22
  • ¿Can the client actively check the CAS server to verify if the user is logged in there (in the server)? I dont see a way to accomplish this as all `phpCAS` methods check against the local session (`isAuthenticated()`, `isSessionAuthenticated()`, `checkAuthentication()`, `forceAuthentication()`,...) ¿what if the CAS server doesnt have Single Sign out enabled? – raguchi Nov 17 '22 at 11:24