Skip to Content.
Sympa Menu

shibboleth-dev - Re: Proposal for adding session management functions to Shib

Subject: Shibboleth Developers

List archive

Re: Proposal for adding session management functions to Shib


Chronological Thread 
  • From: "David L. Wasley" <>
  • To: Chad La Joie <>,
  • Subject: Re: Proposal for adding session management functions to Shib
  • Date: Sat, 3 Jul 2004 09:50:11 -0700

One of our campuses has a similar requirement for "user initiated total logout". However, that's quite different than a timeout that forces such a total logout. I think such timeouts should be done by the apps if they need it.

A validity period for an ISO is probably a good thing but it doesn't mean that sessions already established must be terminated - merely that new sessions can't be started without reauthN. Presumably the authN was valid when the existing sessions started.

I do think that a user initiated "total logout" is a useful feature.

David

-----
At 1:51 AM -0700 on 7/3/04, Chad La Joie wrote:

We actually do something a bit different. Our WebISO can be aware of whether you logged in from a "public" system or a "private" one and adjust the session time outs accordingly. The reason we try to force this session timeout is because a lot of apps don't do it or have way to long of a timeout. So this sort of model allows us to impose better practices then might otherwise be followed. The other reason, and probably the more important one for this discussion, is that if a user clicks the "log me out of everything" link that appears in our webapps, the WebISO needs a way to tell all the apps a user is logged into to log that user out.

Now, as I said, if an app doesn't want to have our WebISO tell it when to log a user out, for whatever reason, it can simply drop the message and do nothing. I think though that you really want the ability to do this. We got hammered on this issue for a while by our users because they wanted to see it. It was kind of the thought that single sign-on is supposed to make their lives easier, so make it as easy as possible by going this extra step.

David L. Wasley wrote:




Archive powered by MHonArc 2.6.16.

Top of Page