Question

We have Sessions enabled

$TWiki::cfg{UseClientSessions} = 1;
$TWiki::cfg{Sessions}{ExpireAfter} = 21600;
$TWiki::cfg{Sessions}{IDsInURLs} = 0;
$TWiki::cfg{Sessions}{UseIPMatching} = 1;
$TWiki::cfg{Sessions}{MapIP2SID} = 0;

Users authenticate through SSO and it is possible to logout off SSO via a web page logout button.

How is possible to remove/delete the session and thus allowing a complete logout from TWiki.

It appears that if I close the browser and restart a new one TWiki still recognizes me from my previous session.

Environment

-- PeterJones - 28 Sep 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Sorry, I have to guess a bit:

• I assume that you are using some cookie-based SSO authentication scheme, i.e. neither mod_ntlm nor mod_auth_kerb or similar Apache modules.
• I guess the "web page logout button" is TWiki's, and not related to your authentication scheme.

If both these assumptions are correct, I guess that your SSO mechanism uses a "permanent" cookie, but the TWiki logout link is just deleting the session cookie created by TWiki itself. In that case it would be helpful to know which mechanism you are using - the solution may lie outside TWiki!

-- HaraldJoerg - 28 Sep 2007

On the other hand, If Harald's assumptions are incorrect, and you are loggin off usig the SSO's web page, you will then need to write some code in TWiki, so that it notices it. Basically, a little bit of code in the usermapping. But we will need more details to discuss this further.

-- SvenDowideit - 28 Sep 2007

Yes we are logging off using SSO's web page, which is outside of TWiki. We are using the REMOTE_USER variable returned by SSO to map to TWikiUsers.txt

-- PeterJones - 02 Oct 2007

Sorry, closing this after more than 30 days of inactivity. Please feel free to re-open if needed.

-- PeterThoeny - 02 Dec 2007