Provided by: dacs_1.4.28b-3ubuntu2_amd64 bug


       dacs_signout - DACS signout service


       dacs_signout [dacsoptions[1]]


       This web service is part of the DACS suite.

       The dacs_signout web service is invoked from a web browser to cause one or more sets of
       DACS credentials for the current federation[2], stored as HTTP cookies, to be removed from
       the browser. This is done by replacing one or more existing cookies with cookies that have
       expired. The effect is that the user agent signs out (logs off) identities previously
       obtained through dacs_authenticate(8)[3] or any other DACS authentication method. A
       DACS-enabled portal will typically provide users with a link or web page form to invoke
       this service.

       By default, all credentials are removed, but credentials can be selected for deletion
       based on a particular username (who the user was authenticated as) or a particular
       jurisdiction (the jurisdiction that performed that authentication).

       Should copies of the selected credentials exist outside of the browser, they may still be
       valid; only the browser's copies are destroyed.

       The SIGNOUT_HANDLER[4] directive can optionally be used to specify where the user should
       be redirected before this service terminates, provided FORMAT does not select a variety of
       XML output (see dacs.conf(5)[5]). If XML output is selected, a document conforming to
       dacs_current_credentials.dtd[6] is returned.

       Explicitly signing off using this web service is generally unnecessary because DACS
       credentials will either become invalid when their lifetime is reached (see
       AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS[7]) or will be automatically deleted when the
       user's browser session terminates (or a session with a trusted servlet ends). A user can
       also sign off by deleting his browser's DACS cookies. Middleware can simply discard

       As DACS credentials are relative to a particular federation of DACS servers, only those
       credentials that are associated with the federation of the DACS server that receives the
       service request will be affected by this service. This implies that a user who wants to
       explicitly sign out must do so for each federation in which he or she is currently

   Web Service Arguments
       In addition to the standard CGI arguments[8], dacs_signout understands the following CGI

           If present, all credentials associated with this username will be deleted. If not
           provided, the username in the credentials is immaterial.

           If present, all credentials associated with this jurisdiction (given as its
           JURISDICTION_NAME[9]) will be deleted. If not provided, the jurisdiction in the
           credentials is immaterial.

           This optional parameter is as described for the dacs_authenticate(8)[3] service.

       The optional parameters are used to delete only those credentials that match a particular
       username or jurisdiction (or both). If neither parameter is specified in the service
       request, all DACS cookies associated with the federation that receives the service request
       will be deleted.

       The name matching method can be configured through the NAME_COMPARE[10] directive.

           DACS does not currently provide an inactivity timeout feature, but it may appear in a
           future release. One way to add it would be to take advantage of the user tracking[11]
           capability, which can record all of a user's requests for DACS-wrapped services within
           a federation. By simply comparing the current time with the time stamp of the user's
           last service request, the user's idle time can be determined. If the idle time exceeds
           a configured maximum, dacs_acs(8)[12] would consider the user's credentials to be
           invalid (effectively expired) and take appropriate action. A straightforward
           implementation would be a relatively simple enhancement to DACS; its main drawback,
           for those that enable it, is the extra performance hit incurred from user tracking and
           having to compute idle time during access control processing - whether this hit is
           significant will depend on your platforms, the configuration of your federation, and
           user activity patterns.


       To signout from all identities in the EXAMPLE federation, a user would simply invoke a URL


       To signout only from the identity EXAMPLE::FEDROOT:bobo, a URL like the following might be


       To signout from only those identities in the EXAMPLE federation having a username
       component bobo, invoke a URL like:


       This would signoff from EXAMPLE::FEDROOT:bobo and EXAMPLE::DSS:bobo, for instance.


       The program exits 0 if everything was fine, 1 if an error occurred.


       dacs_authenticate(8)[3], dacs_current_credentials(8)[13], dacs_auth_agent(8)[14],
       dacs_auth_transfer(8)[15], dacs_select_credentials(8)[16], dacsauth(1)[17],

       The DACS distribution includes an example of a "log off" web page:


       Distributed Systems Software ([20])


       Copyright2003-2012 Distributed Systems Software. See the LICENSE[21] file that accompanies
       the distribution for licensing information.


        1. dacsoptions

        2. current federation

        3. dacs_authenticate(8)


        5. dacs.conf(5)

        6. dacs_current_credentials.dtd


        8. standard CGI arguments


       10. NAME_COMPARE

       11. user tracking

       12. dacs_acs(8)

       13. dacs_current_credentials(8)

       14. dacs_auth_agent(8)

       15. dacs_auth_transfer(8)

       16. dacs_select_credentials(8)

       17. dacsauth(1)

       18. dacscred(1)

       19. html/examples/signout.html


       21. LICENSE