Cas login redirect infinite loop

To debug, go grab one of the phpCAS examples (https://wiki.jasig.org/display/CASC/phpCAS+examples) --- probably the "example_simple.php" --- and see if you can get that working.

Hi Cristian,

I'm having the same issue and am also using SSL. What was the misconfiguration in your SSL that was causing the error?

-Tim

Hi All,

Hmmm, question. Can the client site have SSL/httpS? Will CAS work with this? Seems to work fine with http but not httpS. I do have my SSL setup correctly, so I'm wondering can this be done with CAS?

Many thanks,
-Tim

Yes, the client site can have https. (Mixed http and https might cause some issue, but Drupal gets pretty confused about that to begin with).

Hi Bradley,

I was using https for the whole site. I tried mixed mode since to see if I could get that working, but same results.

Here's a little more about the behavior I've been seeing.

1.) Click login button and get directed to CAS server.
2.) Enter user/pass on CAS server
3.) Get caught in infinite redirect.
4.) Hit the browser's back button until I'm back on the client's site with the log in button to go to CAS server.
5.) Click the log in button to get directed to the CAS server again.
6.) Wind up on the CLIENT site (skips the CAS server this time) but on the client site it has the following error message...

Skip to main content (link to user page)
Site name (link to home page)
Error
The website encountered an unexpected error. Please try again later.

7.) I click the skip to main content or site name link and I'm now logged in...with httpS...
8.) I click logout and I'm successfully logged out.
9.) I click the login to the CAS server again and sometimes I can use the back button to get the error message and log in again and sometimes I click the log in button again and get thrown back into the redirect.

Any ideas on what I could try?
-Tim

Hi all,

Some more information. I tried the solution proposed here. http://drupal.org/node/1561300#comment-6682626

That brought me to the error page described in #8 above right away and then clicking one of the links logged me in successfully. Then logging out will successfully log me out. Then trying to log me back in again will bring me back to the infinite redirect loop.

Drupal 7.18
CAS 7.x-1.2 (tried 7.x-1.3-rc1 with same results)
phpCAS 1.3.1
PHP 5.3.20

Thanks for reading,
-Tim

The website encountered an unexpected error. Please try again later.

Any chance you can dig through your website logs and find out what the underlying error message is?

Another useful tool for debugging is the phpCAS debug log. You can turn it on in the CAS module preferences ... it's near the bottom of the list of options.

Hi Bradley,

Sure thing. The first login attempt i get the following in the DB log.

Session opened for username
Location https://www.example.com/cas?destination=user
Referrer https://mycasserver.example.com/cas/login?service=https%3A%2F%2Fwww.exam...
Message Session opened for username.

PDOException: SQLSTATE[23000]: Integrity constraint...
(replaced long strings/session vars with "random_numbers")
Location https://www.example.com/cas?destination=user
Referrer https://mycasserver.example.com/cas/login?service=https%3A%2F%2Fwww.exam...
Message PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'random_numbers' for key 'PRIMARY': UPDATE {sessions} SET sid=:db_update_placeholder_0, ssid=:db_update_placeholder_1 WHERE (ssid = :db_condition_placeholder_0) ; Array ( [:db_update_placeholder_0] => random_numbers [:db_update_placeholder_1] => random_numbers [:db_condition_placeholder_0] => random_numbers ) in drupal_session_regenerate() (line 393 of includes/session.inc).

undefined
Location https://www.example.com/undefined
Referrer https://www.example.com/
Message undefined
Severity warning

This is what gets me to the "Unexpected error" page. Then I click the link on that page and am now successfully logged in. I logout again and try logging in again and these are the errors in the DB log.

Access Denied user/undefined
Location https://www.example.com/user/undefined
Referrer https://www.example.com/user/username
Message user/undefined

No php/DB error about Integrity constraint this time around.

I enabled the phpCAS debug log. But not sure where this is output. Seems like it's a file that gets written somewhere? I took a look in sites/example.com/files and the cas module folder but didn't see anything. Where can I find the debug info?

Many thanks,
-Tim

Changing version...

Hi All,

1.) Figured out where the debug file goes. It goes where you tell it to go. I didn't realize that I had to put the full path on the disk since the instructions said "filename" not file path. Some trial and error and I finally got it.

cas-debug (no)
cas-debug.txt (no)
tmp/cas-debug.txt (no)
/tmp/cas-debug.txt (no)
files/tmp/cas-debug.txt (no)
/files/tmp/cas-debug.txt (no)
/mywebdir/drupal_root/sites/example.com/files/tmp/cas-debug.txt (yes)

May I suggest defaulting to the files/tmp directory in the next version and change the instructions to be a little more clear on what is required?

2.) Attached is the debug info. Note, I replaced URLs and usernames with generic values.

Many thanks,
-Tim

Looks like the site converted my attachment to a bunch of pretty question marks...trying to reupload...

-Tim

Tim: Yes, agreed that the docs should be better there. Also if we had more time we should write up some docs on how to use and interpret the debug log.

Anyway, looking at your debug log it appears that:
1. You are successfully being redirected to the CAS server to login.
2. After possibly entering your credentials the CAS server redirects you back to the Drupal site with a login token.
3. phpCAS successfully validates the the login token and thinks you are a valid user, stuffing your credentials in the php session variable.
4. phpCAS perform a redirect to remove the login token from the URL (this is standard procedure)
5. phpCAS cannot remember that you were authenticated -- the php session variable is not properly saved & restored.

So... we need to figure out why phpCAS is not working. As a first debug step, if you haven't already, let's remove Drupal from the equation by trying the phpCAS example_simple.php script. You'll find it in the phpCAS docs/examples directory. Can you get that to work?

-Brad

Hi Brad,

I just tried the example_simple.php file. It worked successfully.

Successfull Authentication!

Current script
    example_simple.php
session_name():
    session_for:example_simple_php
session_id():
    ST-2856-enl8vYMI4NIFXaiZCM5r

the user's login is username.

phpCAS version is 1.3.2.

Logout

Where do I go from here?
-Tim

Unfortunately, I'm not sure. In a few instances of this in the past the example_simple.php script led to infinite redirect loops, which were able to be debugged. Is there anything "non-standard" (i.e., possibly rare) with your installation?

Hi Brad,

I just tried this on a blank install on my server, something I should have tried a while ago. (I'm hosted with omega8.cc) I am getting the same behavior with CAS. The only modules enabled are CAS and the libraries module.

The first thing I'm greeted with on the very first CAS login attempt is the PDO integrity violation error.

PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'random_numbers1' for key 'PRIMARY': UPDATE {sessions} SET sid=:db_update_placeholder_0, ssid=:db_update_placeholder_1 WHERE (ssid = :db_condition_placeholder_0) ; Array ( [:db_update_placeholder_0] => random_numbers2 [:db_update_placeholder_1] => random_numbers3 [:db_condition_placeholder_0] => random_numbers4 ) in drupal_session_regenerate() (line 393 of includes/session.inc).

So the problem is either in the CAS module or maybe in Drupal itself? Maybe something with the way Omega8 has things configured. But I've had multiple tickets asking them to confirm and check various things. They say everything is set up correctly on their end.

Would you happen to be available for hire and have the time for some work? I'll send you a PM.

Many thanks,
-Tim

Okay, next hunch would be that it is relating to the ">caching & aggregation that the site is using. Can you try logging in with either of those disabled on the dev site?

Hi Brad,

Yes, I've tried that. Made the "dev" url to turn caching off. This was on the blank install site.

-Tim

Tim and I, working offline, mocked up a custom module to work around this issue.

cas_login_fix.info:

name = CAS Login Fix
package = Central Authentication Service
core = 7.x
description = "Fix infinite redirect loops in the CAS login process."
dependencies[] = cas

cas_login_fix.module:

<?php
function cas_login_fix_phpcas_alter() {
  phpCAS::setNoClearTicketsFromUrl()
}

The module disables the final redirect in the phpCAS login process, which serves only to remove the ?ticket=... parameter from the URL. This is an important security step, as we don't want the ticket to be in the URL which the user might accidentally share or might reveal to a third party site in an HTTP Referer log. But, with the standard login process (through /cas) we already perform a redirection step which should remove this parameter anyway.

However, other login triggers, i.e, the gateway "check if user is already logged in" or required cas login pages, might not properly sanitize ?ticket=... from the URL. In summary, ensure that ?ticket=... does NOT remain in the URL after the user has logged in.

Hi Brad,

Thanks so much for working with me on this. You saved the day! The custom module solution works just great. I wasn't able to learn anymore from Omega8 or through anymore trial and error. Things on Omega8's end seem to be set up correctly. If I learn anything new I'll report back here. Marking as fixed.

I'm glad you were able to find a solution. Thanks so much again for the help!

-Tim

To anyone wondering why the fix in comment #21 isn't working, the answer is that the hook is named hook_cas_phpcas_alter(), not hook_phpcas_alter(). So your function in cas_login_fix.module should be named cas_login_fix_cas_phpcas_alter().

The fix from #21 totally worked with the comment from #25 to about the proper function name.

/**
 * Implements hook_cas_phpcas_alter().
 */
function MY_MODULE_cas_phpcas_alter() {
  // Production is redirecting with the ticket removed.
  phpCAS::setNoClearTicketsFromUrl();
}

#21 with #25 worked for me too. Thanks guys!