Logout action

[pencil]

Implement a logout handler which deletes the local CAS session and redirects to the global CAS logout page.

[calmyournerves]

👍

[ikogan]

I've implemented this functionality in https://github.com/ikogan/mod_auth_cas/tree/v1.1. It isn't very well tested yet though. I have a PR open here dhawes#5 which we'll hopefully get merged all the way down to here at some point.

There's some RPMs available as well: https://github.com/ikogan/mod_auth_cas/releases/tag/v1.1.1.

[ruckc]

It would be beneficial to get a logout endpoint that just destroy's the server's session, as javascript can't see the MOD_AUTH_CAS_S cookie when HttpOnly is set, and when the apache tries to delete the cookie with Set-Cookie, mod_auth_cas get's confused and overwrites the Location header with a redirect to /cas/login?service=https://example.com/api/logout. Even putting the /api/logout behind a <Location /api/logout>CASGateway On</Location> it seems to trigger the Location header modification.

Example Domain

[dhawes]

This is an overly simplistic implementation that expires the cookie and redirects:

https://github.com/dhawes/mod_auth_cas/tree/cas-logout-tests

<Location /logout>
    CASLogout On
</Location>

Is this the basic functionality that people want?

GitHub

dhawes/mod_auth_cas

An Apache 2.0/2.2 compliant module that supports the CASv1 and CASv2 protocols. - dhawes/mod_auth_cas

[ruckc]

Yes, that is the basic functionality. I ended up getting it working with server side code using set-cookie to delete the user's cookie in the browser. Though killing the session in mod_auth_cas ensures it can't be resumed though cookies leaking out of the browser somehow.