Drupal + Cas cannot succesfully logout

Are you using the normal logout page, or the cas provided menu item? It sounds like you're using the normal Drupal Logout menu item which will only log you out of drupal, but not your single sign-on session.

To get this configuration you should go to administer menus and enable the CAS Logout link. This link behaves as you are expecting where you get redirected to the CAS logout page. Feel free to rename and/or disable the drupal logout link.

Dave

I have enabled the cas login and cas logout menu items. They don't appear anywhere new and logout still does not work. It redirects to the CAS logout page and them immediately back to the drupal home page and is STILL logged in!!! What should I expect this to do? I want it to stay at the remote logout page. Why does it return? I'm about to write my own stinkin' logout program. Simple: log out Drupal, go to CAS logout page, logout and stay there. What could be easier? :)

What does a logout do, destroy cookies, sessions, anything else??

You could try of course, but you will likely find the same results. Logout is supposed to destroy session cookies, etc, but much is of course dependent on your settings.php file. I tweaked mine to make sure that login cookies don't last beyond a browser reload. If you suspect a problem with the provided logout page, you'd be much better of finding out why the existing functionality doesn't work than "writing your own stinking logout page". It would certainly serve the community better. On all of my sites I get the correct behavior which is that your drupal login session is destroyed and you're also redirected to the CAS logout site. Granted most of my sites are 5.x sites. I'll try the next time I'm at work to replicate your behavior. it's possible that there's a bug that needs fixing.

Pay attention to your CAS logout page setting on this one, as well as your require cas login for specific pages setting. If set incorrectly it may cause unexpected behavior.

Patches, and bug reports welcome, rants and righteous indignation... not so much....

Dave

Ok, I've tested this against the current head and aside from a recent fix to http://drupal.org/node/475400, this appears to work as design. If this is still an issue. If this is still an issue for you can you document your CAS redirection and menu settings for me so I can work this further?

Dave

I've the same problem. I solved it with a php code content like this one:

<?php

global $user;

watchdog('user', 'Session closed for %name.', array('%name' => $user->name));

// Destroy the current session:
session_destroy();
module_invoke_all('user', 'logout', NULL, $user);

// Load the anonymous user
  $user = drupal_anonymous_user();

drupal_goto('https://mycaslogoutpage');

?>

It's the same code that user_logout with a drupal_goto to the cas logout page.

I hope this will be useful for you.

I don't understand this response. What "problem" were you having. Did you use the CAS logout menu items? I'm still trying to figure out if there is a bug here, but I simply cannot reproduce the behavior! Where did you put this code? Is there a patch that could be filed? The code that you wrote is basically the same as the code that is already in the CAS module when you enable the cas logout menu items.

Excuse me. My problem is that when I click on the "drupal/logout" option menu I've not redirected to the cas logout page. I don't know if the drupal session is destroyed, but in fact, the user still login and in the wellcome page.

I supose the drupal session is destroyed but the redirection is not properly done, so the CAS ticket is still valid and the session is rebuild.

PS: Excuse my english.

Most likely the cause is that your'e requiring login for your site and using the drupal logout rather than the cas logout menu item. Go to administer you menus and enable the CASlogout menu item. You can choose to disable the drupal logout menu item if you so desire.

Does that make sense?

Dave

I didn't see the CASLogout menu item :-( but in spite of the code is the same that in user_logout with the drupal_goto sentece, it doesn't work. I don't know why.

It seems like the drupal session is destroyed but the CAS ticket is not invalidated (I used it to login in other aplications and it's valid), so the drupal session is rebuilded with the ticket against the CAS.

The logout code could be something like this?

<?php
// create a new cURL resource
$ch = curl_init();

// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, $CASLogoutURL);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2); 

// grab URL and pass it to the browser
curl_exec($ch);

// close cURL resource, and free up system resources
curl_close($ch);

drupal_goto('logout');

?>

Maybe the CURLOPT_CONNECTTIMEOUT should be a parameter in the Mod config.

FranciX

That doesn't make sense. The cas ticket is only a one time use ticket anyway, so it can't ever still be valid. You do not see a cas logout menu item that is disabled under your drupal menu administration? That's what I'm talking about enabling. There is already code in the CAS module to facilitate logging out of the single sign out solution. It's been tested pretty thoroughly as people have even been working on the more complicated single sign out support.

You appear to be writing your own, but I'm really unsure as to why, and why you're doing CURL. You should be redirecting to the cas single sign out page.

Have you examined the code that is already in the CAS module for logging out of drupal and CAS?

Yes, I have enabled the item menu CAS Logout but the drupal sessión is still alive.

Step 1: Log-in by CAS -> http://localhost/drupaltest/
(thats redirects to https//localhost:8443/cas/login?service=http://localhost/drupaltest/)
Step 2: Click on CAS Logout item menu
(thats redirects to https://localhost:8443/cas/login?ticket=XXXXXXX)
Step 3: When I type http://localhost/drupaltest/ URL I'm still log in.

8-}

I read your code and I think it's right, but in fact it doesn't works.

I'm very interested, and I think that the ticket still valid until it's sent to server cas logout page. I'm using this mod to SSO with several tools and it works fine to log in, but my problem is that I can't be sure about the logout on all of them. I'm using curl because I try to destroy all the sessions.

FranciX

Step two is not correct. Could you send me a copy of your cas redirect settings? The cas logout page is at casserver/cas/logout. You might try adding a trailing slash on the cas uri. (e.g. cas/) I've had some unpredictable behavior with this in some cas server installs.

The ticket is a one time use ticket, per the cas protocol specification. It is good only for validating the request at initial login, and only once. It is not good until logout. I am quite sure of this, and you can verify that with the cas protocol documentation. The fact that you're being redirected to your cas server login page means that you're being asked to log in again. I suspect this is because you're requiring cas authentication for all pages on your drupal site or something, but I'm not sure. We really shouldn't be seing a ticket parameter there, so that confuses me. The ticket parameter should only be seen on the drupaltest site.

If you're trying to support logging out of all things that you've logged into cas with, then you need to enable cas Single sign out on your cas server and upgrade your cas drupal module client to the 6.x.2 beta, which supports the single sign-out protocol that CAS provides.

Using CURL isn't going to destroy the right session because you're making a new browser that is resident on your php server. It will not have access to the session initiated by the client web browser. You need to look at how single sign out is architected for cas 3.0.

So far I'm pretty sure that you are NOT being redirected correctly to the cas logout page by the menu. That could be because of the missing trailing slash on the uri, or it could be something else in the configuration of either your cas module or your drupal site. I think figuring out what's wrong there is a far better direction than trying to rewrite the cas logout code.

Sorry may not be clear. Talking about the cas settings on your drupaltest site related to redirection, and the CAS uri setting on your drupaltest site.

I didn't notice that the url was login and not logout CAS page 8-|

Mi CAS settings are:

CAS Version: 2.0
CAS server: localhost
CAS port: 8443
CAS uri: /cas
CAS PEM certificate verification: Do not verify the certificate

Is Drupal also the CAS user repository? No
If Drupal is not the user repository, should cas highjack users with the same name? Yes
Should Drupal user accounts be automatically created? Yes

Users canot change email address: Yes
Users canot change password: Yes
Auto-assign users to the role(s): authenticated user

Require CAS login for: all pages except specific pages (none specificated)
Force redirection on initial login: Yes
Initial login landing page: https://localhost:8443/cas/login
Successful login message: "Autenticado vía CAS como %cas_username."
Redirect user on logout: Yes
Logout destination: https://localhost:8443/cas/

Change password URL:
Registration URL:

Should we extract the user email from an LDAP directory? No
Email attribute: mail
Should we extract user groups from an LDAP directory? No

I'll try the dev version too. Thanks for your atention.

Uncheck the redirect user on logout box. You proably don't want to return to your cas login page upon logging out of CAS. The require login for all pages will take care of that next time you hit this site anyway. Let me know how things go with the dev version.

I think the cas_server_logout should return $output, or you end up with a white page :

function cas_server_logout() { 
  // Destroy the current session:
  session_destroy();
  module_invoke_all('user', 'logout', NULL, $user);
  $output = '<p>You have been logged out successfully</p>'; 
  if ($_GET['url'])  {
    $output .= '<p>'. l('Continue', $_GET['url']) .'</p>'; 
  } 
 return $output; 
}

instead of

function cas_server_logout() { 
  // Destroy the current session:
  session_destroy();
  module_invoke_all('user', 'logout', NULL, $user);
  $output = '<p>You have been logged out successfully</p>'; 
  if ($_GET['url'])  {
    $output .= '<p>'. l('Continue', $_GET['url']) .'</p>'; 
  } 
}

We are having the same problem. Logging in works fine but when you go to http://homepage-stg.byu.edu/caslogout (path from the CAS Logout menu item in the navigation menu), I get the following errors.
From the php error log:
PHP Fatal error: session_start() [function.session-start]: Failed to initialize storage module: user (path: /var/lib/php/session) in /usr/share/pear/CAS/client.php on line 616

From the phpCAS.log
E03D .START ****************** [CAS.php:494]
E03D .=> phpCAS::client('2.0', 'cas.byu.edu', 443, 'cas') [login.config.php:17]
E03D .| => CASClient::CASClient('2.0', false, 'cas.byu.edu', 443, 'cas', true) [CAS.php:397]
E03D .| | Starting session handling [client.php:590]
E03D .| | Ticket found [client.php:600]
E03D .| | Old active session found, saving old data and destroying session [client.php:603]
E03D .| | Session ID: ST171012hqHMqbIHe5OxebaaBZ7Tcas
8F55 .START ****************** [CAS.php:494]
8F55 .=> phpCAS::client('2.0', 'cas.byu.edu', 443, 'cas') [login.config.php:17]
8F55 .| => CASClient::CASClient('2.0', false, 'cas.byu.edu', 443, 'cas', true) [CAS.php:397]
8F55 .| | Starting session handling [client.php:590]
8F55 .| | No ticket found [client.php:593]
8F55 .| <= ''
8F55 .<= ''
8F55 .=> phpCAS::setNoCasServerValidation() [login.config.php:20]
8F55 .<= ''
8F55 .=> phpCAS::setExtraCurlOption(32, 1) [login.config.php:22]
8F55 .<= ''
8F55 .=> phpCAS::checkAuthentication() [login.config.php:32]
8F55 .| => CASClient::checkAuthentication() [CAS.php:941]
8F55 .| | => CASClient::isAuthenticated() [client.php:887]
8F55 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:946]
8F55 .| | | | no user found [client.php:1070]
8F55 .| | | <= false
8F55 .| | | no ticket found [client.php:990]
8F55 .| | <= false
8F55 .| | user is not authenticated (cache reset) [client.php:922]
8F55 .| | => CASClient::redirectToCas(true) [client.php:923]
8F55 .| | | => CASClient::getServerLoginURL(true, false) [client.php:1087]
8F55 .| | | | => CASClient::getURL() [client.php:360]
8F55 .| | | | | Final URI: http://homepage-stg.byu.edu/ [client.php:2604]
8F55 .| | | | <= 'http://homepage-stg.byu.edu/'
8F55 .| | | <= 'https://cas.byu.edu:443/cas/login?service=http%3A%2F%2Fhomepage-stg.byu.edu%2F&gateway=true'
8F55 .| | | Redirect to : https://cas.byu.edu:443/cas/login?service=http%3A%2F%2Fhomepage-stg.byu....
8F55 .| | | exit()
8F55 .| | | -
8F55 .| | -
8F55 .| -
79F0 .START ****************** [CAS.php:494]
79F0 .=> phpCAS::client('2.0', 'cas.byu.edu', 443, 'cas') [login.config.php:17]
79F0 .| => CASClient::CASClient('2.0', false, 'cas.byu.edu', 443, 'cas', true) [CAS.php:397]
79F0 .| | Starting session handling [client.php:590]
79F0 .| | Ticket found [client.php:600]
79F0 .| | Old active session found, saving old data and destroying session [client.php:603]
79F0 .| | Session ID: ST171013Ged4DdZt2GLyhkHiMaHvcas

In order to get back in, I have to go manually to the cas server and log out: http://cas.byu.edu/cas/logout and then I can get back to the unauthenticated page and login. When I log out, we have the same error hit again.
We are using the phpCAS 1.1.1RC2
Is there more info I can provide for this that would be pertinent?

It appears that when I change the redirect from (which is preferable) to the server name (homepage-stg.byu.edu) it works ok. Is it possible that the string it is getting for the redirect is not working right?

@drico - Yes thats correct. I fixed this in all dev branches.

@sher1 - THis looks like it's a bug in the phpCAS library, but I can't tell. You might try downloading a new copy of phpCAS. I'm using the latest release, and am not having this problem.

Dave

Can I know sir where is the code I place sir????so I can place the code sir???

This is referencing a new version of phpCAS which is a library that you download from the CAS page, not this page. Are you asking where to downlaod that or where to put the CAS files after downloads. Again, not underanstanding your question. You already have CAS working so I'm assuming you downloaded the phpCAS library and installed it successfully. Put the new version the same place you put the old one???

Dave

Yap it is working sir, but now my question is sir I am cann't success logout in browser firefox using CAS module so I think the function destroy session in firefox is cann't successfully logout sir , how to fix that sir? because in internet explorer is can , but in firefox is cann't sir?????

There is no browser specific code here, so I'm a bit unsure as to what could be going wrong. Are you using the caslogout url or are you using the drupal logout url? When you hover over the logout link does it specify caslogout or logout.

YAP sir , now I want to know it what is different caslogout url and drupal logout url sir??? because I just create menu in secondary links sir and is links to my caslogout url sir , is it false sir??and is it reason it is cann't destroy my session logout sir? and what I want to know sir where is the settings caslogout url sir??? I want to know it sir

There is a disabled menu item provided by the cas module called caslogout. It is designed to destroy your session and then redirect you to the log out page for the cas server so that you are logged out of the cas server as well.

The normal drupal log out, which only logs you out of drupal is at the url yoursiteurl/logout. If you are requireing cas login for the page you are on and then press the normal drupal log out link. You will just be redirected to cas and then logged in again. This is normal behavior and not a bug. Could this be what you are experiencing?

OK sir , after I checked it there is menu in navigation like CAS login and CAS logout, I have just found it , so I must use CAS logout to destroy the session right sir??ok I will do it sir, but now my problem sir , After I use CAS login in my drupal I cann't go to my administration page again sir , and this is a warning message like this :

CAS Authentication failed!

You were not authenticated.

You may submit your request again by clicking here.

If the problem persists, you may contact the administrator of this site.
phpCAS 1.1.1 using server https://example.com:443/cas/ (CAS 2.0)

How to solve this problem sir?? so I can go to my administration page again sir to settings in user management in cas settings sir??

Please open new issues for new problems. You already have one open at #831202: SOME issue again using CAS Module cann't login in my administration page in application CMS???. This is not about login issues anymore. I'm having a hard time following all of the issues you are opening and understanding the cases, since you aren't closing any of them, and are changing the symptoms with each post. Please go to #831202: SOME issue again using CAS Module cann't login in my administration page in application CMS??? and articulate what your current issue is and exactly what you did to change this.

the issues is solved it sir , sorry sir ,the issues is solved it sir, Yap I will to makes issues in the posting with the same issues sir , sorry to make your angry sir, because I am very interesting about module CAS in drupal ,

and I want to test it sir to makes this work on it sir, and in my office I confused to tell somebody, because in my office there are no can drupal, just me sir, so it is my reason only in this forum, I can get help if I confused about drupal sir after I lot of makes practice about drupal sir.

and my solutions sir ,is to change the URL in the logout in the drupal changed to path logout sir, so it is can work on it, so the rename path in logout drupal is caslogout not https://example.com/cas/logout, and it is work to destroy the session logout sir, thanks for the help sir??, and I promise if I confused again I will going to the forum with the posting in the same issues sir.

You did not make me angry. I was just having a difficult time understanding what problems you had or hadn't solved. I'm glad that you got it fixed. I don't want you to stop posting to the forum for support. I'm just trying to keep my issue queue understandable for everyone. Thanks for your understanding.

ok sir , I will learn english more sir , because I am still learning english language sir , thanks for your attention sir ^^

Closing this then as well.