[Freeipa-users] unable to logout of IPA
Petr Spacek
pspacek at redhat.com
Mon Sep 10 08:26:10 UTC 2012
On 09/08/2012 02:05 AM, Dmitri Pal wrote:
> On 07/27/2012 10:30 AM, Petr Spacek wrote:
>> On 07/27/2012 03:28 PM, John Dennis wrote:
>>> On 07/27/2012 02:06 AM, Dan Scott wrote:
>>>> Hi,
>>>>
>>>> I'm not sure if this is relevant, but Firefox preserves session
>>>> cookies across browser restarts. This was discussed on the Security
>>>> Now! podcast recently:
>>>>
>>>> http://www.grc.com/sn/sn-360.htm
>>>>
>>>> Search for 'sessionstore' and read a little before and after.
>>>>
>>>> Are session cookies relevant for kerberos authentication?
>>>
>>> It's only tangentially relevant. IPA does use session cookies. IPA
>>> logout
>>> destroys the session on the server making the session cookie stored
>>> in the
>>> browser invalid.
>>>
>>> However, SSO (Single Sign-On) continues to work as it's supposed to.
>>> As long
>>> as you have valid credentials in your kerberos cache you'll be
>>> automatically
>>> logged in (albeit with a brand new session and session cookie). All
>>> this is by
>>> design.
>>>
>>> You can logout of IPA which destroys your session, but unless you
>>> also destroy
>>> your credentials the automatic SSO process will be applied the next
>>> time you
>>> visit the web UI.
>>>
>>>
>> Would it be possible to add "login as another user" functionality? I
>> mean "destroy session && ignore any Kerberos tickets && start
>> form-based auth"?
>>
>> IMHO it could be handy, at least for demonstration purposes.
>>
>
> Please log a ticket.
>
https://fedorahosted.org/freeipa/ticket/3064
Petr^2 Spacek
More information about the Freeipa-users
mailing list