Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 5362 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF guidance required - Logout URLs delegation

PeterHolland

Hi,

A number of clients are requiring that the logout function of OWA, SharePoint, and other services actually work. currently we are seeing pretty much all services suffering from the issue that if you hit logout and then either hit the back button, or re-open the browser shortly afterwards, the session is still fully authenticated.

this is a full on show stopper for, well, it should be a show stopper for anyone and everyone.

so we have the logout URLS delegation feature on the forms, fab

what the heck do i put in there?

i have tried the full URL that loads when you click Logout, no change.

tried just the /SignOut.aspx or SignOut.aspx, no change

tried using some variables like ../../SignOut.aspx, no change.

is there any documentation around this? 

it should just need a one-paragraph of: click logout from the web application, obtain this section of the URL loaded, paste/type that in the box, jobs a good'un

surely?

thanks in advance

Pete



This thread was automatically locked due to age.
  • 0

    this is a particularly critical functionality for our customers in the education and healthcare sectors where kiosk/shared computers are used commonly. as it stands anyone can re-open a previously authenticated session, especially if Chrome is used, which doesn't bin session cookies on closing.

  • 0

    this is the extent of the documentation provided in the administration guide for 9.4:

    Logout(onlyforvirtualwebservermodeForm):Hereyoucanprovidealogoutfunction fortheusersession.

    Mode:Selecthowtheusercanlogoutfromthesession.

    None:Theuserhasnooptiontologout.

    Delegation:UserlogsoutbypredefinedURLs.Forexample,/logout.

    AddURLsthattheuserneedstologout.

    the logout page for SharePoint is /logout.aspx

    similarly for a lot of services. as per the the above, entering logout.aspx, /logout.aspx has no effect

    as a side note of value, this 'feature' will cause any site published this way to fail penetration testing. so if this doesn't work, i'm not sure how to use UTM in the public sector to publish websites? other than passthrough authentication, which again, is not an acceptable solution for the same customer base as there is a requirement for authentication to occur before it hits the server.

  • 0 in reply to PeterHolland

    Pete, I would think that Sophos Support would be all over this.  If you already have a case open, ask for escalation - and then please let us know how they solved this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML