If you enable "Check with the CAS server to see if the user is already logged in?", Persistent Login (PL) stops working, even for non-CAS logins.

For instance, if you enable that option, as well as the option to allow users to remain logged in, then log in using a local Drupal account using the "remember me" checkbox, you get a message indicating that a PL session has been created. But if you close your browser and return to the site, you are not logged back in automatically. Thus, I think CAS is interfering with PL's ability to check for a PL session upon return to the site if "Check with the CAS server..." is enabled.

Comments

bfroehle’s picture

bfroehle commented

I believe it. I'm tempted to want to restructure this gateway feature into a separate module since it's lead to so many issues.

Any idea if PL and gateway are generically incompatible? Or is this just a bug in our implementation?

danepowell’s picture

danepowell commented

I haven't had time to give much thought to it. I know that PL 'runs' at hook_boot, while CAS runs at hook_init. Seems odd, considering that both modules do basically the same thing.

bfroehle’s picture

bfroehle commented

The CAS gateway feature should probably run at hook_boot, but it also relies on too many drupal features which aren't available until hook_init.

I think we should reconsider how the gateway feature actually functions to get around this issue. For example, we could:

- User requests http://example.com/node/1
- Option "check to see if user is already logged in is enabled", we intercept in cas_boot() and redirect to http://example.com/cas?destination=node/1&gateway=true
- http://example.com/cas?... is processed as a normal page request and redirects to https://cas-auth.example.com/cas/login?gateway=true&....
- user is redirected to http://example.com/cas?destination=true&ticket=... (if logged in) or http://example.com/cas?destination=true&gateway=true... (if not logged in)
- process user being logged in or not
- user is redirected to http://example.com/node/1
- if not logged in we set a session variable / cookie to indicate that cas gateway shouldn't be checked again, or pass a query string gateway=false.

The kludge of adding gateway=false is annoying, but otherwise we could have the issue that a user without cookies is sent in an infinite redirect loop. :(

The whole gateway feature is awkward -- I'm not sure what the best practices are in implementation.

bfroehle’s picture

bfroehle commented

Is there a plan of attack here? Should we just gray out the CAS gateway feature box if persistent_login is enabled?

danepowell’s picture

danepowell commented

I haven't look over the plan in detail, but I agree that we should use hook_boot, since it will run even on cached pages.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented
Issue summary: View changes
Status: Active » Closed (outdated)

This issue is 7 years old and filed against D6. I think it's safe to close this one out.