handleLogoutRequest and config file

[Cyazd]

Hello to everybody,

I've got a small issue I haven't been able to resolve during the last two weeks, so I'm coming here for some help.

I have a phpCAS client app. When someone logs out of the CAS server, the server sends (apparently) a logout notification to my app.

But when I logout of the server and I refresh my client app I'm still connected. Looking at the log file, no request was intercepted.

To handle the logout I just added the phpCAS:: handleLogoutRequest(); line before the phpCAS::forceAuthentication(); one. Is there something I should add also to the config.php file to handle the logout request ?

Thanking you in advance for your help.

[jfritschi]

Please check #195 and test one of our examples https://github.com/apereo/phpCAS/blob/master/docs/examples/example_logout.php

GitHub

apereo/phpCAS

Apereo PHP CAS Client. Contribute to apereo/phpCAS development by creating an account on GitHub.

[jfritschi]

And also #212

[jfritschi]

Typically the connection from the CAS server to the phpCAS service is not working: (flow of the logout signal is from client -> CAS server -> phpCAS service)

• You need working HTTPS
• You need a Certificate trusted by the CAS server
• Your need working network connection/routing/dns between the systems (loadbalancers or network topology may get in the way)

[Cyazd]

Thank you for your quick answer.

I doubt it is a HTTPS or certificate issue : the app has worked up to now (before I implemented the central logout feature). Besides when I look at the log files, no error message. Just a :

CD4E .=> CAS_Client::handleLogoutRequests(true, array ()) [CAS.php:1298]
CD4E .| Not a logout request [Client.php:1744]
CD4E .<= ''

Which seems strange because the guy who are managing the CAS server assured me that a logout request was send to my application.

Here's the code for the index.php :

`<?php
require_once 'config.php';
require_once $phpcas_path . '/CAS.php';
phpCAS::client(CAS_VERSION_3_0, $cas_host, $cas_port, $cas_context);
phpCAS::setCasServerCACert($cas_server_ca_cert_path);
phpCAS::handleLogoutRequests();
phpCAS::forceAuthentication();

  if (isset($_REQUEST['logout'])) {
  	phpCAS::logout();
  }
  include 'webapp.php';

?>`

[jfritschi]

There is a big difference from a HTTPS certificate working in your browser (with populated trusted certificate authorities) and the certificate being accepted as "trusted" by the java library on the CAS server itself. It's not uncommon for a trust store file of a java installation to be empty....

Ask your CAS admin to check if he sees a connection denied or similar entry in the CAS server logs. Without specific ssl debugging enabled any un-trusted certificate shows up as a connection error.

I have also seen many cases were CAS servers were behind load balancers and could not initiate any outgoing TCP connections or routing/DNS was not working fully. Ask your CAS admin to use any commandline web clients to connect your application (wget, curl...)

You can also use wireshark or any network monitoring to check if any connection is established on your end. If the SSL handshake fails it will not even register in your webserver or phpCAS logs but it would be visible in the network data.

[Cyazd]

Thank you very much.

I'll see with the admin then.

[Cyazd]

So, I contacted the adminstrator of the CAS server, and the only thing he told me was that he's seeing a logout request sent by the CAS server (image in attachment). And he asked me to see if I received that request on my server.

Not really knowing what I was doing, I did a tcpdump listening to port 443 and I see indeed the logging into my app, and also a request with a F flag when I logout of the CAS server.

Don't know if it is of any help, neither what I'm really supposed to do now...

[jfritschi]

Have you checked the debug log of phpCAS? I typically just "tail -f" the debug log and than issue a logout... You can then follow the trace what phpCAS is doing with any incoming request.

If you cannot see anything in the logs the issue is outside of phpCAS....

I can only recommend that you start debugging issues like this with our simple examples to avoid to much complexity. If the session handling is not done by phpCAS itself a logout will only work if configure a custom callback handler to do whatever magic is needed in your application phpCAS::setSingleSignoutCallback()

[Cyazd]

Issue has been resolved. Here's what I did :

Using SSLLabs I've tested the SSL certificate. The result was an "Incomplete Certificate". Apparently browser can overcome this issue, but it wasn't the case of the CAS server (or Curl, or Python).

I had to complete the apache ssl.conf file with the SSLCertificateChainFile option.

That being done, I could send a secure POST request with curl and python. But the logout function still wasn't working.

The phpCAS logout file showed that now the logout request was received but the server sending it was different than the one responsible for the login, so I had to add it in the phpCAS::handleLogoutRequest options.

And now, finally, it all works.

Thank you very much for all your help jfritschi (and indeed, as you stated at the beginning, it was a SSL issue) !

[jfritschi]

Glad you figured it out!