Shibboleth sessions are restored on next login after logging out #8475
Comments
ybnd
added
bug
authentication: Shibboleth
|
@ybnd : I think another way to approach this would be to address #7799 I see we actually have an old PR to address this from @paulo-graca : #2758 But it looks to have been abandoned. Maybe it's time to look at whether Single Logout for Shibboleth makes sense? |
tdonohue
added
medium priority
Estimate TBD
|
We ran into the same issue. If I understand correctly, this appears to be caused by the AuthenticationService attempting each AuthenticationMethod retrieved through getAuthenticationMethodStack. This AM Stack appears to be built through getPluginSequence, its docstring states that: I tried changing the order of the AuthenticationMethods in local.cfg (commenting out other occurances in authentication.cfg), hoping that PasswordAuthentication will be attempted before ShibAuthentication, so that it now looks like this: This appears to have solved the issue for us. |
tdonohue
added
high priority
and removed
Estimate TBD
Describe the bug
Impossible to log in via username/password after logging out of a Shibboleth session
_shibsession_*cookie remains even after logging inTo Reproduce
Steps to reproduce the behavior:
_shibsession_*cookie in your browser's dev tools_shibsession_*cookie remainsExpected behavior
Shibboleth sessions should not bleed over into the next "password session"
Preliminary investigation
Confirmed that this issue cannot be addressed from the frontend, as the
_shibsession_*cookie isHttpOnly. We may be able to solve this by explicitly ignoring the cookie in REST if a login attempt is being made with username/password.Related work
Discovered while working on DSpace/dspace-angular#1805
The text was updated successfully, but these errors were encountered: