-
Notifications
You must be signed in to change notification settings - Fork 975
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need ability to use a custom sessionID #47
Comments
#40 related |
In reference to this diagram, when the browser is redirected to the ticket transfer callback URL –#3 in the diagram– you should be able to regenerate the session and set the sessionID. For example: app.get('/casCallback', function (req, res, next) {
var ticket = req.query.casTicketName;
req.session.regenerate(function (err) {
if (err) // handle error ...
req.sessionID = ticket;
// attach stuff to session or call next() and so on ...
});
}); The ID will be signed with your secret, like usual, then used in the cookie thats set on the browser. |
We have struggled to get this to work with the MemoryStore which we have switched to for now as we can easily do a lookup in sessionStore.sessions to find the corresponding sid for a given CAS service ticket. One challenge that we had a hard time diagnosing was that when we hit the logout route and destroy the session, there happens to be a set session with the old sid and user info queued up so I can see the session get destroyed and then recreated right afterward. To solve it we null out req.session and req.sessionId inside the req.session.destroy callback before we redirect back to CAS. I have a feeling there may be a similar issue going on with regenerate but have not had time to dig into it. Do you have any insight into this behavior, as it was pretty unintuitive and seems like a bug in the order of operations. At this point in-memory is a workable solution as our sessions are small in size and number and with the below code everything is working just fine.
|
The Generally speaking, if the route is being hit by the user, you should only be interacting with the |
I'm closing this, as it doesn't seem like a bug. Feel free to reopen if you disagree |
Thanks a lot those suggestions make way too much sense, my code is much more logical now. So that was ultimately a side issue, to move on to a memcache store we will still need to get your earlier suggestion working. I have attempted just that but run into some issues. Have you successfully changed the sid with this technique? Firstly I see three sessions when I reload the page, of course cas is doing some redirecting right away and I'm wondering if that is the cause, when I get redirected back from cas with the ticket, the cas middleware kindly removes that query param for me, another redirect, when we come back we have a cas user and Service Ticket and need to change the session id to the ST. I believe a new session is being regenerated but the new sid is not the value I provided.
|
I did some more investigation, and the technique I suggested won't work. Sorry about that :) You are going to have to destroy then write your own if (!req.session.casSid) {
// destroy the old session
req.session.destroy(function (err) {
if (err) { /* todo handle err here */ }
// req.sessionID has to be set before Session is instantiated
req.sessionID = ticket;
req.session = new session.Session(req);
req.session.cookie = new Cookie(session.cookie);
_.merge(req.session, session);
req.session.casSid = true;
respond(req, res);
});
} else {
respond(req, res);
} The above is a hack for sure, but it might work for you? I'll reopen this as a feature request, related to #40. Sorry for the confusion at first. |
Awesome, that works. Yeah I too saw the code using defineProperty and was kind of lost at that point. Assumed there was some other process going on perhaps to replace the whole object but clearly not. Thanks so much! |
FYI you should not even be setting your session ID as your CAS session ticket ID; if you need to destroy sessions based on ticket ID, you should either use a store that lets you do that look up (this module lets you build your own store) or you need to use a second storage mechanism to map CAS session ticket IDs to your user's browser session IDs. |
Memcache and Redis both seem (oddly) ill suited to this task, an actual database is what is required. When we moved on to implement SSO in another app, this time a Java Spring app, we ran into the same problem. Basically CAS Single Sign Out has no reference implementation that supports clustering. We would have to similarly rewrite the sign out filter to be backed by a database then we would be able to do the lookup of a session via a service ticket. This all seems too complex and indeed with CAS 4.0 the SSO process has been greatly simplified with support for clustered apps on all platforms via a front-channel sign out. In CAS 3.x saml post messages originating from the CAS server tell each service to destroy any session associated with a given service ticket. In CAS 4.x, upon logout, the user's client is eventually redirected to each service's logout page one after the other until all of their open sessions are killed. We have implemented this approach using CAS 3.x by forcing the logout route of one service to redirect to the other services logout route which will then redirect to the CAS logout route. |
We've been trying to implement multi-app authentication with CAS using connect-cas. We've had issues with that codebase in terms of sso support but have our own implementation based on it now so that library is not an isssue at this point. To support single sign out the CAS server needs to be able to kill a session using a post message back to Express. The CAS protocol sends a session ticket which is not the express sessionID. To make this work with memcache we need to use the CAS session ticket as the sessionID. Others have had similar issues with custom sessionID
The text was updated successfully, but these errors were encountered: