Forum OpenACS Q&A: Re: How to expire session on the server side?

Collapse
Posted by Dave Bauer on
Nima said: "The one important thing is that during a logout CAS notifies all third systems to logout the user. If we have a cookie based system this won't work. Because the browser cookie of the user is not invalidated by the system since the system is notified by CAS on the server side. Therefore you have to make sure you invalidate the users cookies on the next request. "

This will work. The cookies are invalidated on the server side. Each cookie is hased with an authentication token. The token on the sever side is changed by sec_change_user_auth_token which means the next time the cookie is checked, it will not match and the user will be forced to login. Note the documentation string "Change the user's auth_token, which invalidates all existing login cookies." If this doesn't work, its a bug in OpenACS and should be fixed.