The UI should provide a logout button that will invalidate the current session immediately. This is to avoid leaving an active session on the server which could be exploited. The logout button will call the logout URL (see ticket #2362) and redirect the browser to another page. The page should confirm that the user has been logged out.

One possible solution is to create a logout landing page (logout.html) that says "you have been logged out" with a link back to the main UI page (index.html). Note that going back to the main page will recreate the session if TGT is still valid.

Another possible solution is to create a new front page (index.html) and move the main UI page to another page (main.html). The front page could provide a username/password for form-based auth and also a link for Kerberos auth, so user can pick the authentication method he wants to use. The front page will also become the logout landing page.