8

I just made a HelloWorld servlet and implemented CAS on it. I'm being able to log in without problem and CAS is setting 3 cookies in my browser, the CASGT, and 2 JSESSIONID 1 for /cas and another for /helloWorld

The problem is that then I access https://blah:8443/cas/logout, I see the logged out succesfuly screen but the cookies still are in my browser, so I'm not being loged out, I can get in again in /helloWorld without the login screen showing up.

Do you know what should I do for CAS to delete the cookies it created when I log out?

Thanks in advance

Steve McQueen
  • 81
  • 1
  • 1
  • 2

2 Answers2

7

CASGT cookie is set by CAS and should be unset by it. CAS logout procedure works like this:

  1. You actually go to CAS logout page. The page should know the application which you are logging out from. One way is to redirect to CAS logout page from your application, supplying the redirect-back URL as a parameter.

  2. Your cookie is erased and you are then redirected to your application via POST request.

  3. SingleSignOutFilter catches a special parameter "logoutRequest" and actually destroys the ticket/session mapping that it held from the very beginning and also invalidates current session.

In order to debug CAS, enable TRACE level logging. This way you will know if proper request was received or if session has been invalidated.

I also advice you to look at the code of org.jasig.cas.client.session package, which is quite simple.

Infeligo
  • 11,715
  • 8
  • 38
  • 50
  • 2
    Thanks a lot for your suggestions Infeligo, they didn't solve my issue but helpmed me discover what was going wrong. The problem I had was one of SSL configuration, the logout screen was being called on http so the browser wasn't sending the CASGT cookie, so CAS server does nothing except of showing a screen saying logout successful. – Steve McQueen Feb 28 '12 at 18:38
  • You have to implement some custom code at CAS server side in order to delete your custom cookies after successful logout – alexanoid Jan 27 '16 at 13:27
4

You should check the documentation on CAS single sign out which can be found here. It says:

Where Single Sign Out Works:

Clients / Languages whose session management is maintained on the server side. CAS clients can then access session information to end the session.

Where Single Sign Out Doesn't Work:

Clients / Languages whose only session management consists of cookies. CAS does not have access to the browser's cookies and cannot therefore terminate a session. (however, closing a browser window should do that)

And I think that's pretty much your case. Cookie based it's not possible to do a SSout, but if you can use a framework like Spring (as we do in our projects) the SSout is easy to configure and comes in very handy

Hons
  • 3,804
  • 3
  • 32
  • 50