Drupal + Cas cannot succesfully logout
samirnasri - April 21, 2009 - 02:41
| Project: | CAS |
| Version: | 6.x-1.0 |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
Description
Drupal 6.10
cas module 6.x
phpCAS 0.6.0-1
Users can log in via cas. That works fine and when they click logout, page will redirected to main page. but when user click login again in Cas user Login the user session still there although he already logout..
#1
#2
Are you using the normal logout page, or the cas provided menu item? It sounds like you're using the normal Drupal Logout menu item which will only log you out of drupal, but not your single sign-on session.
To get this configuration you should go to administer menus and enable the CAS Logout link. This link behaves as you are expecting where you get redirected to the CAS logout page. Feel free to rename and/or disable the drupal logout link.
Dave
#3
I have enabled the cas login and cas logout menu items. They don't appear anywhere new and logout still does not work. It redirects to the CAS logout page and them immediately back to the drupal home page and is STILL logged in!!! What should I expect this to do? I want it to stay at the remote logout page. Why does it return? I'm about to write my own stinkin' logout program. Simple: log out Drupal, go to CAS logout page, logout and stay there. What could be easier? :)
What does a logout do, destroy cookies, sessions, anything else??
#4
You could try of course, but you will likely find the same results. Logout is supposed to destroy session cookies, etc, but much is of course dependent on your settings.php file. I tweaked mine to make sure that login cookies don't last beyond a browser reload. If you suspect a problem with the provided logout page, you'd be much better of finding out why the existing functionality doesn't work than "writing your own stinking logout page". It would certainly serve the community better. On all of my sites I get the correct behavior which is that your drupal login session is destroyed and you're also redirected to the CAS logout site. Granted most of my sites are 5.x sites. I'll try the next time I'm at work to replicate your behavior. it's possible that there's a bug that needs fixing.
Pay attention to your CAS logout page setting on this one, as well as your require cas login for specific pages setting. If set incorrectly it may cause unexpected behavior.
Patches, and bug reports welcome, rants and righteous indignation... not so much....
Dave
#5
Ok, I've tested this against the current head and aside from a recent fix to http://drupal.org/node/475400, this appears to work as design. If this is still an issue. If this is still an issue for you can you document your CAS redirection and menu settings for me so I can work this further?
Dave
#6
I've the same problem. I solved it with a php code content like this one:
<?php
global $user;
watchdog('user', 'Session closed for %name.', array('%name' => $user->name));
// Destroy the current session:
session_destroy();
module_invoke_all('user', 'logout', NULL, $user);
// Load the anonymous user
$user = drupal_anonymous_user();
drupal_goto('https://mycaslogoutpage');
?>
It's the same code that user_logout with a drupal_goto to the cas logout page.
I hope this will be useful for you.
#7
I don't understand this response. What "problem" were you having. Did you use the CAS logout menu items? I'm still trying to figure out if there is a bug here, but I simply cannot reproduce the behavior! Where did you put this code? Is there a patch that could be filed? The code that you wrote is basically the same as the code that is already in the CAS module when you enable the cas logout menu items.
#8
Excuse me. My problem is that when I click on the "drupal/logout" option menu I've not redirected to the cas logout page. I don't know if the drupal session is destroyed, but in fact, the user still login and in the wellcome page.
I supose the drupal session is destroyed but the redirection is not properly done, so the CAS ticket is still valid and the session is rebuild.
PS: Excuse my english.
#9
Most likely the cause is that your'e requiring login for your site and using the drupal logout rather than the cas logout menu item. Go to administer you menus and enable the CASlogout menu item. You can choose to disable the drupal logout menu item if you so desire.
Does that make sense?
Dave
#10
I didn't see the CASLogout menu item :-( but in spite of the code is the same that in user_logout with the drupal_goto sentece, it doesn't work. I don't know why.
It seems like the drupal session is destroyed but the CAS ticket is not invalidated (I used it to login in other aplications and it's valid), so the drupal session is rebuilded with the ticket against the CAS.
The logout code could be something like this?
<?php
// create a new cURL resource
$ch = curl_init();
// set URL and other appropriate options
curl_setopt($ch, CURLOPT_URL, $CASLogoutURL);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);
// grab URL and pass it to the browser
curl_exec($ch);
// close cURL resource, and free up system resources
curl_close($ch);
drupal_goto('logout');
?>
Maybe the CURLOPT_CONNECTTIMEOUT should be a parameter in the Mod config.
FranciX
#11
That doesn't make sense. The cas ticket is only a one time use ticket anyway, so it can't ever still be valid. You do not see a cas logout menu item that is disabled under your drupal menu administration? That's what I'm talking about enabling. There is already code in the CAS module to facilitate logging out of the single sign out solution. It's been tested pretty thoroughly as people have even been working on the more complicated single sign out support.
You appear to be writing your own, but I'm really unsure as to why, and why you're doing CURL. You should be redirecting to the cas single sign out page.
Have you examined the code that is already in the CAS module for logging out of drupal and CAS?
#12
Yes, I have enabled the item menu CAS Logout but the drupal sessión is still alive.
Step 1: Log-in by CAS -> http://localhost/drupaltest/
(thats redirects to https//localhost:8443/cas/login?service=http://localhost/drupaltest/)
Step 2: Click on CAS Logout item menu
(thats redirects to https://localhost:8443/cas/login?ticket=XXXXXXX)
Step 3: When I type http://localhost/drupaltest/ URL I'm still log in.
8-}
I read your code and I think it's right, but in fact it doesn't works.
I'm very interested, and I think that the ticket still valid until it's sent to server cas logout page. I'm using this mod to SSO with several tools and it works fine to log in, but my problem is that I can't be sure about the logout on all of them. I'm using curl because I try to destroy all the sessions.
FranciX
#13
Step two is not correct. Could you send me a copy of your cas redirect settings? The cas logout page is at casserver/cas/logout. You might try adding a trailing slash on the cas uri. (e.g. cas/) I've had some unpredictable behavior with this in some cas server installs.
The ticket is a one time use ticket, per the cas protocol specification. It is good only for validating the request at initial login, and only once. It is not good until logout. I am quite sure of this, and you can verify that with the cas protocol documentation. The fact that you're being redirected to your cas server login page means that you're being asked to log in again. I suspect this is because you're requiring cas authentication for all pages on your drupal site or something, but I'm not sure. We really shouldn't be seing a ticket parameter there, so that confuses me. The ticket parameter should only be seen on the drupaltest site.
If you're trying to support logging out of all things that you've logged into cas with, then you need to enable cas Single sign out on your cas server and upgrade your cas drupal module client to the 6.x.2 beta, which supports the single sign-out protocol that CAS provides.
Using CURL isn't going to destroy the right session because you're making a new browser that is resident on your php server. It will not have access to the session initiated by the client web browser. You need to look at how single sign out is architected for cas 3.0.
So far I'm pretty sure that you are NOT being redirected correctly to the cas logout page by the menu. That could be because of the missing trailing slash on the uri, or it could be something else in the configuration of either your cas module or your drupal site. I think figuring out what's wrong there is a far better direction than trying to rewrite the cas logout code.
#14
Sorry may not be clear. Talking about the cas settings on your drupaltest site related to redirection, and the CAS uri setting on your drupaltest site.
#15
I didn't notice that the url was login and not logout CAS page 8-|
Mi CAS settings are:
CAS Version: 2.0
CAS server: localhost
CAS port: 8443
CAS uri: /cas
CAS PEM certificate verification: Do not verify the certificate
Is Drupal also the CAS user repository? No
If Drupal is not the user repository, should cas highjack users with the same name? Yes
Should Drupal user accounts be automatically created? Yes
Users canot change email address: Yes
Users canot change password: Yes
Auto-assign users to the role(s): authenticated user
Require CAS login for: all pages except specific pages (none specificated)
Force redirection on initial login: Yes
Initial login landing page: https://localhost:8443/cas/login
Successful login message: "Autenticado vía CAS como %cas_username."
Redirect user on logout: Yes
Logout destination: https://localhost:8443/cas/
Change password URL:
Registration URL:
Should we extract the user email from an LDAP directory? No
Email attribute: mail
Should we extract user groups from an LDAP directory? No
I'll try the dev version too. Thanks for your atention.
#16
Uncheck the redirect user on logout box. You proably don't want to return to your cas login page upon logging out of CAS. The require login for all pages will take care of that next time you hit this site anyway. Let me know how things go with the dev version.