[pubcookie-dev] Single Sign Out

[Bradley Schwoerer]

On 6/22/06 12:23 PM, "Stephen C. Losen" <scl at sasha.acc.Virginia.EDU> wrote:

> 
>> 
>>>> The thought is to have on full logout, it to add hidden iframes on the
>>>> logout page that will have the location be the
>>>> redirect_url?appid=appid&action=logout
>>>> (href="https://myapp.univ.edu/pubcookie.reply?appid=MyApp&action=logout").
>>> 
>>> The approach taken by (one of) Oracle's single signon products is for the
>>> logout page to request an image from each remote service and to display it
>>> against the service name. Requesting the image causes the logout and its
>>> successful display (I think it's something like a tick) confirms that it
>>> worked. Text on the logout pages says something like "Here are the servers
>>> you were using. A tick implies that you have been logged out, anything else
>>> (like a broken image icon) indicates failure". Quite what users should, or
>>> will, do on failure is unclear.
>> 
>> Not everyone loads images, in particular people who don't see well
>> and use screen readers.  People using mobile devices with small screens
>> may often disable images as well.
>> 
>> Jim
> 
> I think that there are some limitations with iframes and cookies.
> Some browsers get kind of paranoid sending and/or receiving
> cookies from apps in iframes.  Maybe this doesn't apply to the
> single sign off situation, but we had trouble running the
> pubcookie login cgi in an iframe because at least one popular
> browser (IE maybe) refused to cooperate.
> 

True, I forgot about that.  Cookies can't be set on the initial page in an
iframe with ie6.  Interesting enough, on subsequent page loads it can set
cookies. I am sure it is a feature, not a bug ;).  On a side note, you can
have iframes be applications with different AppIDs and the such, you just
need to use the POST LoginMethod.


-Bradley


> 
> 
> 
> Steve Losen   scl at virginia.edu    phone: 434-924-0640
> 
> University of Virginia               ITC Unix Support
> 
>