This module calls the PHP global method `session_destroy()` instead of using the Drupal session_manager service. This should use the service instead, since it's Drupal specific code.
There is no real "problem" I'm trying to solve here, just something I noticed when debugging this method. The general "call stack" is as follows...
user.module : user_logout()
- method invokes all hook_user_logout commands.
-- simplesamlphp_auth.module : simplesamlphp_auth_user_logout()
--- method uses php's built in function to destroy the session.
--- method calls the simplesamlephp library's logout method, which redirects the user to "/" or a setting variable. this skips the rest of the stack below.
- method destroys the session with the session_manager service.
- method sets current user account to a new anonymous user.
Comment | File | Size | Author |
---|---|---|---|
#15 | simplesamlphp_auth-use-session-manager-logout-2900442-15.patch | 1.36 KB | angrytoast |
| |||
#11 | 2900442-11.patch | 1.37 KB | joelpittet |
|
Comments
Comment #2
dpagini CreditAttribution: dpagini as a volunteer commentedThis patch uses the Drupal session_manager to destroy the session. In addition, since the stack I described skips the functionality in Drupal core's `user_logout()` method, I am also setting the $account variable's "Account" to a new Anonymous User session. I don't think this will have much an effect, but I wanted to ensure we are still accomplishing what Drupal Core is doing OOTB.
I think it's a little heavy handed for the SimpleSAMLPHP module to take over the current request and redirect the user. I wish there was a less intrusive method that could be called to clean up the user session, but still allow other Drupal modules to execute code.
Comment #3
dpagini CreditAttribution: dpagini as a volunteer commentedSeeing this is a similar approach to #2604058. Adding it as a related item. Sorry for the duplicate. This is a more simple/straightforward change, and that issue is marked as Needs Work currently. Going to leave this open to get feedback.
Comment #4
joelpittetThis seems correct and simple. The other issue can re-roll with this fix in place as it should help them concentrate on the their SSO issue title goal.
Comment #5
joelpittetNot changing the RTBC status, this is the same patch just rerolled due to use statement not there
-use Drupal\Core\Link;
and an extra line break. And I added the interface like the other issue because it gives a nice IDE hints.Comment #7
joelpittetThat failed test looks unrelated, I've requeued testbot.
Comment #9
joelpittetI think there is an issue with the test not the patch, this error happened on a completely different patch.
Comment #10
joelpittetHere's a fix for the failing unit test in HEAD #2969420: Tests failing in HEAD due to missing mocked method
Comment #11
joelpittetRerolled because #2764733: Logout compatibility with Masquerade module was committed first.
Comment #12
joelpittetWe've been using this for a while. Just checking/bumping.
Comment #13
BerdirThe documented argument for this is AccountInterface, not AccountProxyInterface.
Comment #14
BerdirComment #15
angrytoast CreditAttribution: angrytoast as a volunteer commentedUpdating with a patch; taking the past work and addressing the concerns in #13.
Comment #16
angrytoast CreditAttribution: angrytoast as a volunteer commentedComment #17
joelpittetThanks for fixing that, I was about to roll a patch and realized it was broken because of the issue in #13
Comment #19
BerdirThanks, committed.