Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
After user logs out session cookie still exists (assuming you've applied patch #18 from https://www.drupal.org/node/2020009).
Comments
Comment #1
dealancer CreditAttribution: dealancer commentedComment #2
dealancer CreditAttribution: dealancer commentedNow I see why:
> // :KLUDGE: for some reason Drupal is not killing the session, even if I were to call drupal_session_destroy_uid() here.
> session_destroy();
Comment #3
dealancer CreditAttribution: dealancer commentedHere are few notes log in / log out works, that could help us to dim a light on what's going on and what is wrong.
1. Simple SAML module calls $_simplesamlphp_auth_as->requireAuth()
2. User is logs in and cookie variables are set though the Simple SAML library, variables are: SimpleSAMLAuthToken and SimpleSAMLSessionID
3. When user logs out $_simplesamlphp_auth_as->logout is called
4. Session variables should be deleted by doLogout but they are not
Comment #4
brooke_heaton CreditAttribution: brooke_heaton commentedI've been looking into this as well. Even if we kill the SSO session via db_delete, it returns later.
I've tried this patch but it deletes the SSO Session but the session is eventually restored.
Resetting the cookie appears to lead to a SAML error.
Looking at this thread, I am led to believe that there may not be a method to kill the SSO session: https://groups.google.com/forum/#!topic/simplesamlphp/svpnggJMwf4
Comment #5
brooke_heaton CreditAttribution: brooke_heaton commentedI wonder if we are chasing our tails here. I'm still unclear on the behavioral problem of having the SSO session active after Drupal logout.
I can say that after updating function simplesamlphp_auth_user_logout($account) to delete the SSO Session in the DB and reset the SSO session cookies, this leads to a fatal error with simplesaml. This may be because it needs the session to remain active.
For instance, if you look at doLogout at simplesamlphp/lib/SimpleSAML/Session.php:551 it appears that even at logout, which is called at simplesamlphp_auth/simplesamlphp_auth.module:427, the cookies are reset. Forcefully ending the sessions seems to go against the SSO desired behavior
Am I missing something?