CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple cosign configuration and runtime issues

Yup, that's a known issue. What you're seeing is the service-side caching of the service cookie. After the service does a CHECK of your cosign-service cookie it sticks a copy in /var/cosign/filter (or whatever you've configured) so it won't have to talk to the cosign servers again for 2 minutes (the default, can be changed to suit your needs).

in scripts/logout/ (in the cosign source distribution) you'll find a that will:

     (1) expire the service-specific cookie
     (2) redirect the user on to your central logout URL

so that after the user logs out they will not still have a (temporarily) valid cosign-service cookie in their browser.

Does that clear things up at all? :)


On Nov 11, 2004, at 6:39 PM, Ben Poliakoff wrote:

* johanna bromberg craig <canna@xxxxxxxxx> [041110 17:04]:

My CosignCrypto looks like this:

CosignCrypto    /var/cosign/certs/key.pem /var/cosign/certs/cert.pem

Shouldn't mod_cosign be looking for /var/cosign/certs/key.pem?

yes, you are 100% correct. This is why i think it's the logout cgi. :)

You mean things don't work well if you're using a 1.7.0 cosign.cgi with an older logout cgi? :o

Um, yes that seems to be the bulk of the problem <sheepish_blink>.  Oh
dear oh dear oh dear.

Well with *that* out of the way things seem to be working a *lot*
better.  Logouts generate no longer generate errors (and none of those
silly symlinks are needed).  My cosign cookies are working on the
weblogin server itself as well as on a separate server.

Thanks for your patience!

I do notice a variable delay of a few seconds to a few minutes for
logout actually takes effect (i.e. after I logout I can still access a
cosignprotected location for as long as a couple minutes).  It doesn't
seem to be related to browser caching.  Is this a known issue?



... "you can't give yourself a nickname." ...

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010