When the gateway feature enabled, I noticed there's an issue with how CAS handles redirects. When a user is NOT signed into CAS, they are redirected back to the site with the ?destination= parameter still attached to the URL. This causes major issues for things like Google Analytics as well as overall user experience.

To reproduce:

  1. Open browser and make sure all cookies are cleared for your local test site
  2. Make sure you are signed out of CAS
  3. Enable gateway feature in CAS settings
  4. Visit a page on the site, like http://mysite.dev/node/1
  5. The user will be quickly redirected to the CAS server just to check if the user is already logged in. In this case, they are not, and then redirected back to the main site, but with ?destination=node/1 in the URL.

If the user IS logged into CAS already, then the destination parameter in the return URL is handled accordingly and it does not remain.

This code is a bit difficult to follow - XDebug has been very helpful though. Will try and come up with a patch if possible.

Comments

yalet’s picture

yalet commented

Can you try the patch in https://drupal.org/comment/8504291#comment-8504291 ? (We know about the test failures, but there is some issue with the testbot; the tests pass locally for that patch) That issue significantly changes the way gateway mode is handled; one of my comments in that issue (several updates prior to the linked patch) mentions bad destination parameter behavior. I am using that patch on my production sites currently, and I am not seeing the behavior you describe.

It would be nice to get a review of that patch to try to push it through.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Yes applying that patch addresses this, but I've raised a concern in that issue. I think we should leave this issue open for now while we work out the other.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented
Status: Active » Closed (duplicate)

Closing this in favor of #869926: Use phpCAS::setCacheTimesForAuthRecheck() instead of a custom cookie. which resolves the issue.