[Freeipa-users] unable to logout of IPA
Dmitri Pal
dpal at redhat.com
Sat Sep 8 00:05:00 UTC 2012
On 07/27/2012 10:30 AM, Petr Spacek wrote:
> On 07/27/2012 03:28 PM, John Dennis wrote:
>> On 07/27/2012 02:06 AM, Dan Scott wrote:
>>> Hi,
>>>
>>> I'm not sure if this is relevant, but Firefox preserves session
>>> cookies across browser restarts. This was discussed on the Security
>>> Now! podcast recently:
>>>
>>> http://www.grc.com/sn/sn-360.htm
>>>
>>> Search for 'sessionstore' and read a little before and after.
>>>
>>> Are session cookies relevant for kerberos authentication?
>>
>> It's only tangentially relevant. IPA does use session cookies. IPA
>> logout
>> destroys the session on the server making the session cookie stored
>> in the
>> browser invalid.
>>
>> However, SSO (Single Sign-On) continues to work as it's supposed to.
>> As long
>> as you have valid credentials in your kerberos cache you'll be
>> automatically
>> logged in (albeit with a brand new session and session cookie). All
>> this is by
>> design.
>>
>> You can logout of IPA which destroys your session, but unless you
>> also destroy
>> your credentials the automatic SSO process will be applied the next
>> time you
>> visit the web UI.
>>
>>
> Would it be possible to add "login as another user" functionality? I
> mean "destroy session && ignore any Kerberos tickets && start
> form-based auth"?
>
> IMHO it could be handy, at least for demonstration purposes.
>
Please log a ticket.
> Petr^2 Spacek
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list