[Freeipa-users] unable to logout of IPA
John Dennis
jdennis at redhat.com
Fri Jul 27 13:28:05 UTC 2012
On 07/27/2012 02:06 AM, Dan Scott wrote:
> Hi,
>
> I'm not sure if this is relevant, but Firefox preserves session
> cookies across browser restarts. This was discussed on the Security
> Now! podcast recently:
>
> http://www.grc.com/sn/sn-360.htm
>
> Search for 'sessionstore' and read a little before and after.
>
> Are session cookies relevant for kerberos authentication?
It's only tangentially relevant. IPA does use session cookies. IPA
logout destroys the session on the server making the session cookie
stored in the browser invalid.
However, SSO (Single Sign-On) continues to work as it's supposed to. As
long as you have valid credentials in your kerberos cache you'll be
automatically logged in (albeit with a brand new session and session
cookie). All this is by design.
You can logout of IPA which destroys your session, but unless you also
destroy your credentials the automatic SSO process will be applied the
next time you visit the web UI.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list