Unable to protect the logout page.

View Only

Back to discussions

Expand all | Collapse all

1. Unable to protect the logout page.

0 Recommend
Anon Anon
Posted Sep 21, 2015 06:38 AM

Reply Reply Privately
I am trying to protect the logout page from unauthenticated access. Only the logged in user could see the information on the logout page. But what's happening here is just by entering the logout page uri it's directing to the same page, where as it should redirect me to the home page since I am not authenticated.
My config is like, I have two servers--agents and for one of the agents I have configured the LogOffURI in the ACO. Now I created a realm to protect that as a resource. But it doesn't seem to work.
What could have gone wrong? Will be very helpful if someone could explain.
2. Re: Unable to protect the logout page.

0 Recommend
Legacy User
Posted Sep 21, 2015 09:24 AM

Reply Reply Privately
Ideally we never protect a logoff page. If the purpose of the page is to log off a session, why would we increase the processing by protecting it, thus invariable engaging the WebAgent to validate the session. It is just too much overhead unless you could state a valid security usecase that presents a loophole and hence the need to protect logout page.

Regards,
Hubert
3. Re: Unable to protect the logout page.

0 Recommend
Anon Anon
Posted Sep 21, 2015 11:45 AM

Reply Reply Privately
Hi Hubert,

Isn't it weird for an user to be able to view the successfully logout message without any proper access to any of the applications.
If an application is protected the corresponding logout page should also be protected.. That's what I think.
Could you please tell me how could I do it?

Regards
Amlan
4. Re: Unable to protect the logout page.

0 Recommend
Legacy User
Posted Sep 21, 2015 01:20 PM

Reply Reply Privately
You could handle that within the application. Refer to the Tech note below for few tricks.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec529360.aspx

From an WebAgent Perspective, I think the logoffURI works similar to IgnoreExt OR IgnoreURL i.e. once the WebAgent encounters patterns from IgnoreExt and IgnoreURL - it never passes the request to Policy Server. Hence even if these patterns were protected on Policy Server end, it is of no use as the WebAgent would not issue a IsProtected call to Policy Server.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec529319.aspx

Regards

Hubert
5. Re: Unable to protect the logout page.

0 Recommend
Ujwol
Posted Sep 23, 2015 02:40 AM

Reply Reply Privately
A better approach would be to do a 302 redirect from loguout page to the login page.

That is what google does as well :
Access Logout page : https://accounts.google.com/logout?hl=en
Redirects to the login page : https://accounts.google.com/ServiceLogin?elo=1

Regards,
Ujwol Shrestha

Symantec Access Management

Unable to protect the logout page.

Anon AnonSep 21, 2015 06:38 AM

Legacy UserSep 21, 2015 09:24 AM

Anon AnonSep 21, 2015 11:45 AM

Legacy UserSep 21, 2015 01:20 PM

UjwolSep 23, 2015 02:40 AM

1. Unable to protect the logout page.

2. Re: Unable to protect the logout page.

3. Re: Unable to protect the logout page.

4. Re: Unable to protect the logout page.

5. Re: Unable to protect the logout page.