Main Nav

Shibboleth has a problem with logging out: with the current version, there’s no way to do it!

 

It’s a known problem. While there are some workarounds, the only one that is acceptable to me is to have the user close out all browser windows. This clears a session cookie named _shibsession_random-id-goes-here.

 

Chrome adds a twist: closing all Chrome windows no longer clears session cookies! A Chrome process remains running, the “background pages/apps” part, so the cookies persist.

 

I don’t think this is a reasonable expectation of the average user to know this. Therefore, we may need to anticipate the lowest common denominator with Shibboleth, which is that user sessions will persist as long as the user is logged into the PC.

 

Does this mean we cannot use Shibboleth for web apps that may be used on shared PCs where consecutive users aren’t separated by a log out/log in or reboot?

 

Aren Cambre, '99, '03
Team Lead, Web Technologies Team
Office of Information Technology
Southern Methodist University

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
image001.gif2.62 KB

Comments

I found the issue out with Chrome while demonstrating single sign on and Shibboleth. I think it is a huge issue for students and security.   Our lab computers and kiosks do a reboot after logout so we are good here, but still a big security issue in my book.  Chrome is a popular browser.    I agree that it is not a reasonable expectation for students to know this.


Kevin Reeve
Utah State University

From: "Cambre, Aren" <acambre@MAIL.SMU.EDU>
Reply-To: The EDUCAUSE Web Portals Constituent Group Listserv <PORTALS@LISTSERV.EDUCAUSE.EDU>
Date: Tue, 5 Nov 2013 17:54:14 +0000
To: <PORTALS@LISTSERV.EDUCAUSE.EDU>
Subject: [PORTALS] Shibboleth and log out

Shibboleth has a problem with logging out: with the current version, there’s no way to do it!

 

It’s a known problem. While there are some workarounds, the only one that is acceptable to me is to have the user close out all browser windows. This clears a session cookie named _shibsession_random-id-goes-here.

 

Chrome adds a twist: closing all Chrome windows no longer clears session cookies! A Chrome process remains running, the “background pages/apps” part, so the cookies persist.

 

I don’t think this is a reasonable expectation of the average user to know this. Therefore, we may need to anticipate the lowest common denominator with Shibboleth, which is that user sessions will persist as long as the user is logged into the PC.

 

Does this mean we cannot use Shibboleth for web apps that may be used on shared PCs where consecutive users aren’t separated by a log out/log in or reboot?

 

Aren Cambre, '99, '03
Team Lead, Web Technologies Team
Office of Information Technology
Southern Methodist University

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Here is an excellent document on Shib and logout:

Thanks,
MRA



Mark R. Albert
Director, University Web Services
Division of Information Technology
The George Washington University
Enterprise Hall, 340E
44983 Knoll Square
Ashburn, VA 20147
703-726-8393
717-398-8085


Thanks, Mark. I did a couple of variants on that.

 

The summary recommendation is near the bottom: “If you can get the SP's to close their session on browser close, then it's the perfect solution, one that doesn't side-step Shibboleth's design. If you can't get the SP to close their session on browser close, simply shortening the session lifetime can do a lot to create secure sessions. Of course, training users to logout of the application and close their browsers, will completely solve the problem too--though less reliably.”

 

I just don’t see how to reliably do this with Chrome and with no way to invalidate the auth on the server side.

 

Aren

 

From: The EDUCAUSE Web Portals Constituent Group Listserv [mailto:PORTALS@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Albert
Sent: Tuesday, November 5, 2013 2:17 PM
To: PORTALS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [PORTALS] Shibboleth and log out

 

Here is an excellent document on Shib and logout:

 

Thanks,

MRA


 

 

Mark R. Albert
Director, University Web Services
Division of Information Technology
The George Washington University
Enterprise Hall, 340E
44983 Knoll Square
Ashburn, VA 20147
703-726-8393
717-398-8085

 

Meant “I did find a couple of variants”. J

 

From: The EDUCAUSE Web Portals Constituent Group Listserv [mailto:PORTALS@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cambre, Aren
Sent: Tuesday, November 5, 2013 2:31 PM
To: PORTALS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [PORTALS] Shibboleth and log out

 

Thanks, Mark. I did a couple of variants on that.

 

The summary recommendation is near the bottom: “If you can get the SP's to close their session on browser close, then it's the perfect solution, one that doesn't side-step Shibboleth's design. If you can't get the SP to close their session on browser close, simply shortening the session lifetime can do a lot to create secure sessions. Of course, training users to logout of the application and close their browsers, will completely solve the problem too--though less reliably.”

 

I just don’t see how to reliably do this with Chrome and with no way to invalidate the auth on the server side.

 

Aren

 

From: The EDUCAUSE Web Portals Constituent Group Listserv [mailto:PORTALS@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Albert
Sent: Tuesday, November 5, 2013 2:17 PM
To: PORTALS@LISTSERV.EDUCAUSE.EDU
Subject: Re: [PORTALS] Shibboleth and log out

 

Here is an excellent document on Shib and logout:

 

Thanks,

MRA


 

 

Mark R. Albert
Director, University Web Services
Division of Information Technology
The George Washington University
Enterprise Hall, 340E
44983 Knoll Square
Ashburn, VA 20147
703-726-8393
717-398-8085

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.