I am trying to protect the logout page from unauthenticated access. Only the logged in user could see the information on the logout page. But what's happening here is just by entering the logout page uri it's directing to the same page, where as it should redirect me to the home page since I am not authenticated.
My config is like, I have two servers--agents and for one of the agents I have configured the LogOffURI in the ACO. Now I created a realm to protect that as a resource. But it doesn't seem to work.
What could have gone wrong? Will be very helpful if someone could explain.
Ideally we never protect a logoff page. If the purpose of the page is to log off a session, why would we increase the processing by protecting it, thus invariable engaging the WebAgent to validate the session. It is just too much overhead unless you could state a valid security usecase that presents a loophole and hence the need to protect logout page.
Isn't it weird for an user to be able to view the successfully logout message without any proper access to any of the applications.
If an application is protected the corresponding logout page should also be protected.. That's what I think.
Could you please tell me how could I do it?
You could handle that within the application. Refer to the Tech note below for few tricks.
From an WebAgent Perspective, I think the logoffURI works similar to IgnoreExt OR IgnoreURL i.e. once the WebAgent encounters patterns from IgnoreExt and IgnoreURL - it never passes the request to Policy Server. Hence even if these patterns were protected on Policy Server end, it is of no use as the WebAgent would not issue a IsProtected call to Policy Server.
A better approach would be to do a 302 redirect from loguout page to the login page.
That is what google does as well :
Access Logout page : https://accounts.google.com/logout?hl=en
Redirects to the login page : https://accounts.google.com/ServiceLogin?elo=1