-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single logout breaks with multiple sessions #83
Labels
Comments
I just discovered the same behavior and agree with @beheh that current behavior is quite bad. |
evilscientress
added a commit
to evilscientress/django-mama-cas
that referenced
this issue
Jul 23, 2019
This addresses jbittel#83 and is a possible fix, but not ideal. The better way to address the issue would be to track accesss services per session and then send targeted single sign out requests based on this information. Signed-off-by: Jenny Danzmayr <mail@evilscientress.at>
evilscientress
added a commit
to evilscientress/django-mama-cas
that referenced
this issue
Jul 23, 2019
This addresses jbittel#83 and is a possible fix, but not ideal. The better way to address the issue would be to track accesss services per session and then send targeted single sign out requests based on this information. Signed-off-by: Jenny Danzmayr <mail@evilscientress.at>
evilscientress
added a commit
to evilscientress/django-mama-cas
that referenced
this issue
Jul 23, 2019
This addresses jbittel#83 and is a possible fix, but not ideal. The better way to address the issue would be to track accesss services per session and then send targeted single sign out requests based on this information. Signed-off-by: Jenny Danzmayr <mail@evilscientress.at>
evilscientress
added a commit
to evilscientress/django-mama-cas
that referenced
this issue
Jul 23, 2019
This addresses jbittel#83 and is a possible fix, but not ideal. The better way to address the issue would be to track accesss services per session and then send targeted single sign out requests based on this information. Signed-off-by: Jenny Danzmayr <mail@evilscientress.at>
Hi @beheh, sorry for the late reply. The idea of checking all user valid tickets looks great, would you like to create a PR o share the relevant code here? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, single logout will assemble a list of recent
ServiceTickets
for the current user which it then invalidates one-by-one. It uses the extremely basic check to only look at tickets created for the user since last login:django-mama-cas/mama_cas/models.py
Lines 207 to 218 in 03935d9
This logic breaks as soon as the user signs in from two devices or browsers. When signing in to the second device, the user irreversibly overwrites their last login timestamp. Even if the session based on the first ticket signs out it will only invalidate the second ticket, because the first one was issued before the last login.
This seems like really bad behaviour from
mama_cas
, as it's quite to likely to miss tickets to invalidate, making the logout process unreliable.In our application we have adjusted the signout logic as follows:
This ensures that all "child" sessions for this user have either been captured because they were from within the last few hours, or we are sure they have expired at the service because their lifetime is limited.
The text was updated successfully, but these errors were encountered: