Session cookie is not removed after logging out [#2377727]

After user logs out session cookie still exists (assuming you've applied patch #18 from https://www.drupal.org/node/2020009).

Comments

Comment #1

dealancer CreditAttribution: dealancer commented 18 November 2014 at 21:46

Issue summary:

View changes

Comment #2

dealancer CreditAttribution: dealancer commented 18 November 2014 at 21:55

Now I see why:

> // :KLUDGE: for some reason Drupal is not killing the session, even if I were to call drupal_session_destroy_uid() here.
> session_destroy();

Comment #3

dealancer CreditAttribution: dealancer commented 20 November 2014 at 00:04

Here are few notes log in / log out works, that could help us to dim a light on what's going on and what is wrong.

1. Simple SAML module calls $_simplesamlphp_auth_as->requireAuth()
2. User is logs in and cookie variables are set though the Simple SAML library, variables are: SimpleSAMLAuthToken and SimpleSAMLSessionID
3. When user logs out $_simplesamlphp_auth_as->logout is called
4. Session variables should be deleted by doLogout but they are not

Comment #4

brooke_heaton CreditAttribution: brooke_heaton commented 17 September 2016 at 15:30

I've been looking into this as well. Even if we kill the SSO session via db_delete, it returns later.

I've tried this patch but it deletes the SSO Session but the session is eventually restored.

    $config = SimpleSAML_Configuration::getInstance();
    $session_cookie_name = $config->getValue('session.cookie.name');

    if (isset($_COOKIE[$session_cookie_name])) {
      db_delete('simplesaml_kvstore')
        ->condition('_key', $_COOKIE[$session_cookie_name], '=')
        ->execute();
    }

Resetting the cookie appears to lead to a SAML error.

Looking at this thread, I am led to believe that there may not be a method to kill the SSO session: https://groups.google.com/forum/#!topic/simplesamlphp/svpnggJMwf4

Comment #5

brooke_heaton CreditAttribution: brooke_heaton commented 19 September 2016 at 15:54

I wonder if we are chasing our tails here. I'm still unclear on the behavioral problem of having the SSO session active after Drupal logout.

I can say that after updating function simplesamlphp_auth_user_logout($account) to delete the SSO Session in the DB and reset the SSO session cookies, this leads to a fatal error with simplesaml. This may be because it needs the session to remain active.

For instance, if you look at doLogout at simplesamlphp/lib/SimpleSAML/Session.php:551 it appears that even at logout, which is called at simplesamlphp_auth/simplesamlphp_auth.module:427, the cookies are reset. Forcefully ending the sessions seems to go against the SSO desired behavior

    /**
     * Marks the user as logged out.
     *
     * This function will call any registered logout handlers before marking the user as logged out.
     *
     * @param string $authority The authentication source we are logging out of.
     */
    public function doLogout($authority)
    {
        SimpleSAML_Logger::debug('Session: doLogout('.var_export($authority, true).')');

        if (!isset($this->authData[$authority])) {
            SimpleSAML_Logger::debug('Session: Already logged out of '.$authority.'.');
            return;
        }

        $this->markDirty();

        $this->callLogoutHandlers($authority);
        unset($this->authData[$authority]);

        if (!$this->isValid($authority) && $this->rememberMeExpire) {
            $this->rememberMeExpire = null;
            $this->updateSessionCookies();
        }
    }

Am I missing something?