Fix session logout #485
Fix session logout #485
Conversation
There were 2 issues with session logouts, one is that the logout_cookie was checked and acted on in the wrong place, the other is that the wrong value was set in the IPASESSION header. Fixes https://fedorahosted.org/freeipa/ticket/6685 Signed-off-by: Simo Sorce <simo@redhat.com>
| @@ -23,6 +23,6 @@ def execute(self, *args, **options): | |||
| else: | |||
| delattr(context, 'ccache_name') | |||
|
|
|||
| setattr(context, 'logout_cookie', '') | |||
| setattr(context, 'logout_cookie', 'MagBearerToken=') | |||
There was a problem hiding this comment.
Note: I expect that on an empty MagBearerToken we go in this branch modauthgssapi:src/sessions.c#L126 and the session is dropped later. Did not find any documentation on MagBearerToken though.
Also, this is just a workaround for https://fedorahosted.org/freeipa/ticket/6685, our cookies don't really get blacklisted, right?
There was a problem hiding this comment.
MagBearerToken is the value that matter sin the cookie generated by mod_auth_gssapi. Since the privsep partches removed our session code and use mod_auth_gssapi + mod_session instead, then that's what we need to use.
This patch is a fix for 6685, the part about blacklist is just a suggestion for an aditional improvement but it is not required to fix the issue.
There was a problem hiding this comment.
Thank you for the explanation.
|
Works as expected. |
|
Fixed upstream |
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.
Fixes https://fedorahosted.org/freeipa/ticket/6685
Signed-off-by: Simo Sorce simo@redhat.com