dacs_signout - DACS
This web service is part of the DACS
web service is invoked from a web browser to cause one
or more sets of DACS
credentials for the current
, stored as HTTP cookies, to be removed from the browser.
This is done by replacing one or more existing cookies with cookies that have
expired. The effect is that the user agent signs out (logs off) identities
previously obtained through dacs_authenticate(8)
 or any other
authentication method. A DACS
-enabled portal will typically
provide users with a link or web page form to invoke this service.
By default, all credentials are removed, but credentials can be selected for
deletion based on a particular username (who the user was authenticated as) or
a particular jurisdiction (the jurisdiction that performed that
Should copies of the selected credentials exist outside of the browser, they may
still be valid; only the browser's copies are destroyed.
 directive can optionally be used to specify where
the user should be redirected before this service terminates, provided HTML
output is being produced (i.e., the FORMAT
does not select a variety of
XML output or JSON output). If XML output is selected, a document conforming
 is returned. If JSON output is
selected, a document conforming to dacs_current_credentials.rnc
Explicitly signing off using this web service is generally unnecessary because
credentials will either become invalid when their lifetime is
reached (see AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS
) or will be
automatically deleted when the user's browser session terminates (or a session
with a trusted servlet ends). A user can also sign off by deleting his
cookies. Middleware can simply discard cookies.
credentials are relative to a particular federation of
servers, only those credentials that are associated with the
federation of the DACS
server that receives the service request will be
affected by this service. This implies that a user who wants to explicitly
sign out must do so for each federation in which he or she is currently
In addition to the standard CGI arguments
understands the following CGI arguments:
If present, all credentials associated with
this username will be deleted. If not provided, the username in the
credentials is immaterial.
If present, all credentials associated with
this jurisdiction (given as its JURISDICTION_NAME) will be deleted.
If not provided, the jurisdiction in the credentials is immaterial.
If permitted by the SIGNOUT_HANDLER
directive and HTML output has been selected, redirect the user's browser to
the URL specified by this parameter, which may contain a properly escaped
query string. Whether the GET method is used depends on the context of the
original request (and keep in mind that GET parameters may be visible and
logged). This URL is not validated by DACS. When not explicitly
permitted by the SIGNOUT_HANDLER directive, this parameter is
This optional parameter is as described for
the dacs_authenticate(8) service.
The optional parameters are used to delete only those credentials that match a
particular username or jurisdiction (or both). If neither parameter is
specified in the service request, all DACS
cookies associated with the
federation that receives the service request will be deleted.
The name matching method can be configured through the NAME_COMPARE
does not currently provide an inactivity timeout feature, but it may
appear in a future release. One way to add it would be to take advantage of
the user tracking
 capability, which can record all of a user's
requests for DACS
-wrapped services within a federation. By simply
comparing the current time with the time stamp of the user's last service
request, the user's idle time can be determined. If the idle time exceeds a
configured maximum, dacs_acs(8)
 would consider the user's
credentials to be invalid (effectively expired) and take appropriate action. A
straightforward implementation would be a relatively simple enhancement to
; its main drawback, for those that enable it, is the extra
performance hit incurred from user tracking and having to compute idle time
during access control processing - the significance of this cost will depend
on your platforms, the configuration of your federation, and user activity
To signout from all
identities in the EXAMPLE federation, a user would
simply invoke a URL like:
To signout only from the identity EXAMPLE::FEDROOT:bobo, a URL like the
following might be invoked:
To signout from only those identities in the EXAMPLE federation having a
username component bobo, invoke a URL like:
This would signoff from EXAMPLE::FEDROOT:bobo and EXAMPLE::DSS:bobo, for
The program exits 0 if everything was fine, 1 if an error occurred.
distribution includes an example of a "log off" web
It might be useful for the non-HTML formats to provide configured or requested
signout handler URLs.
Distributed Systems Software ( www.dss.ca
Copyright2003-2012 Distributed Systems Software. See the LICENSE
that accompanies the distribution for licensing information.
- current federation
- standard CGI arguments
- user tracking