We already have a configuration option in place to for a logout if a Crowd user's SSO cookie has disappeared (most likely because they have logged-out from a different Crowd app in the same SSO group) but we don't have a way to deal with a token/cookie change. Though it's unlikely that this would happen that often, it's possible if a user logs-in to a number of apps in an SSO group (including Drupal) and then logs-out of one, and back-in as a different user (without refreshing or logging-out of Drupal). Currently this situation would just leave the original Drupal user logged-in unless the "Validate the SSO cookie on each request" option is selected. This isn't so bad, but it would be nice, and more consistent from a UX perspective, if we could detect the cookie change (without needing to contact the Crowd server) and logout the old user.

I think this could fairly easily be accomplished by storing the SSO cookie value inside the Drupal session. If it's there, then we can check it against the active SSO cookie without any overhead, and logout if a change is detected.

I'd like to extend the existing "Log out if cookie is deleted" option to do this, and will hopefully be able to capture this change in a commit shortly.

Comments

rjacobs’s picture

rjacobs commented
Status: Active » Fixed

This is now addressed and committed. For D7:

http://drupalcode.org/project/crowd.git/commit/25350b3

and for D6:

http://drupalcode.org/project/crowd.git/commit/3648d33

These commits also add a couple API and REST service methods enhancements (added hook during user data syncing, better centralize common REST connection variables, etc.)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.