本文介绍了Jasig CAS SSO .NET客户端未从其他应用程序注销的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用Jasig CAS .NET客户端通过服务器上的SSO在我的应用程序中进行身份验证.我已经按照文档中的说明实施了所有操作,并在所有控制器中添加了[授权].

I am using the Jasig CAS .NET client to authenticate in my application using SSO from a server. I have implemented everything just like the documentation says and added [Authorize] in all my controllers.

登录在我的应用程序以及我要与之集成的应用程序中都可以正常工作.我可以从任何一个应用程序登录,并且用户已通过身份验证.

Log in is working fine from my app and the one I'm trying to integrate with. I can log in from either app and the user is authenticated.

问题出在注销上.如果我从其他应用程序注销,则该用户仍然可以访问我的应用程序.

The problem is with the log out. If I log out from the other app, the user will still have access in my application.

这是因为CAS注销无法删除cookie吗?还是我做错了什么?

Is this because CAS log off can't delete the cookies? Or am I doing something wrong?

推荐答案

由于身份验证信息存储在cookie中,并且您的Web应用程序(或.NET CAS客户端)未检查,因此您仍登录到Web应用程序在每个页面上,询问您是否仍在登录CAS服务器. cookie一直用于该过程,直到过期为止.

You are still logged in to your web app because the authentication information is stored in a cookie and your web app (or the .NET CAS client) does not check on every page request whether you're still logged in on the CAS server. The cookie is used for that until it expires.

因此,基本上,CAS服务器必须具有单一登录" 页面,该页面将从使用该CAS服务器的所有Web应用程序(包括您的Web应用程序)中注销用户.必须将CAS服务器配置为在您的Web应用程序中调用注销页面,从而转而放弃ASP.NET会话并删除身份验证cookie. CasAuthentication.SingleSignOut()方法为您完成此操作.

So basically the CAS server has to have a Single Sign-Out page which logs out the user from all web applications using that CAS server, including yours. The CAS server has to be configured to call a Logout page in your web app, which in turn abandons the ASP.NET session and deletes the authentication cookie. The CasAuthentication.SingleSignOut() method does this for you.

这篇关于Jasig CAS SSO .NET客户端未从其他应用程序注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-22 20:16