[Freeipa-users] unable to logout of IPA
Petr Spacek
pspacek at redhat.com
Fri Jul 27 14:30:10 UTC 2012
On 07/27/2012 03:28 PM, John Dennis wrote:
> On 07/27/2012 02:06 AM, Dan Scott wrote:
>> Hi,
>>
>> I'm not sure if this is relevant, but Firefox preserves session
>> cookies across browser restarts. This was discussed on the Security
>> Now! podcast recently:
>>
>> http://www.grc.com/sn/sn-360.htm
>>
>> Search for 'sessionstore' and read a little before and after.
>>
>> Are session cookies relevant for kerberos authentication?
>
> It's only tangentially relevant. IPA does use session cookies. IPA logout
> destroys the session on the server making the session cookie stored in the
> browser invalid.
>
> However, SSO (Single Sign-On) continues to work as it's supposed to. As long
> as you have valid credentials in your kerberos cache you'll be automatically
> logged in (albeit with a brand new session and session cookie). All this is by
> design.
>
> You can logout of IPA which destroys your session, but unless you also destroy
> your credentials the automatic SSO process will be applied the next time you
> visit the web UI.
>
>
Would it be possible to add "login as another user" functionality? I mean
"destroy session && ignore any Kerberos tickets && start form-based auth"?
IMHO it could be handy, at least for demonstration purposes.
Petr^2 Spacek
More information about the Freeipa-users
mailing list