Problem/Motivation

I think I've discovered a bug where simplesamlphp_auth and autologout don't play well together. Because SAML expects an Idp, when pulling the site locally and trying to log in without one, it's easy to use drush uli because there's no creds we can connect with and we can bypass the SAML login process entirely.

Upon trying to log in for the first time with drush uli (say for UID 1), things will work immediately. However, when autologout kicks in and logs out the user in question if you try and drush uli again it will no longer work because there's a stalled SESS cookie in the browser. Until you manually delete the SESS cookie or unless it expires (23 days after) you'll be stuck. This is a major issue because it's not straight forward to understand the issue and it's significantly breaking the log in mechanism and expectation when using the module.

Proposed resolution

The SESS cookie should be invalidated/destroyed upon automatic logout .

Remaining tasks

Discuss.

User interface changes

Users can now use e.g. drush uli to log in successfully to the site

API changes

None expected.

Data model changes

None expected.

Comments

anavarre created an issue. See original summary.

AjitS’s picture

AjitS
he/him
Primary language Marathi
Location Pune
CreditAttribution: AjitS as a volunteer commented
Category: Bug report » Support request
Priority: Major » Normal

Automated Logout module does what Drupal core's user_logout(); function does internally. There is a call for 

$this->moduleHandler->invokeAll('user_logout', [$user]);

in it. Any other module which works with authentication like the simplesamlphp_auth should implement hook_user_logout and take care of removing the extra settings (any cookies, etc.) they create in the authentication process. It might be worth creating an issue in the corresponding module's issue queue.

shrop’s picture

shrop CreditAttribution: shrop at Mediacurrent commented

Was there ever an issue for this created in the simpleSAMLphp Authentication module's issue queue? Didn't see it here: https://www.drupal.org/project/issues/simplesamlphp_auth?text=automated+...

The idea of a hook_user_logout in that module sounds like a good thing to try.

We are getting an issue where once Automated Logout logs out, we can't get back to the Drupal site even after deleting all cookies. Could be simpleSAMLphp is still authorized and replacing the cookie. Still testing.

DeaOm’s picture

DeaOm CreditAttribution: DeaOm at Agiledrop - Your Trusted Drupal Teammates commented
Status: Active » Closed (outdated)

There was no new activity in about 4 years, so closing it as outdated.