New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single-Sign-Out not working (for me) #47
Comments
Thanks for the bug report, Raphael! Is the session ID the same on all the applications' logs, or is it different for each? |
The ID's are different, as far as I can see. I might have noticed the source of my problem tho: I missed a log-flush which only happened after another request hit the app.
I'm using ActiveRecord::SessionStore. Shouldn't it be supported? |
Ah, interesting. ActiveRecord::SessionStore should indeed be supported. Looking at that code path, I see there are two ways it can produce that warning:
|
The SessionStore indeed does not respond to
Adding this code in
I've search for places where |
Turns out
|
Oh man, super weird... I'm going to message jeremyhaile, who wrote the single sign-out support, and see if he can come over and have a look at this. We're a bit beyond my depth here. Sorry! |
Hey Jeremy - sorry about the assign, but Github seems to have removed the "Message" feature from user pages, so this was the best way I could figure out to notify you. If you have any idea what might be going on with this one, could you comment here? Thanks! |
Btw: using Redis as SessionStore doesnt work with Single-Sign-Out either:
|
I got Single Sign Out to work with Rails 3.2.2 & 3.2.3 using active_record_store in my fork. I did some digging in the rails source to see how they work with ActiveRecord::SessionStore, and I made some small adjustments for session removal. Works great for me. Maybe we should think about restructuring the SingleSignOut part a bit, as well as at tests for it? |
IMO, the changes you're doing make a lot of sense. I'd like to see Redis support back in there, but in general, I agree with the direction your fork has taken. Also agree that tests would be good. |
No problem - unfortunately my original single_sign_out implementation worked in Rails 3.0, but not Rails 3.1 or 3.2 due to changes in the internals of the session management code. Unfortunately Rails doesn't provide a clean way to access the actual session store that I've been able to find. In my original version, I was tying into a prepare method that all session stores implemented in 3.0, but it was removed in 3.1. nbudin tried to update my code to make it compatible with Rails 3.1, but completely broke it. He assumed that the :session_store stored in the application config was the actual session store, but in reality it is just a symbol that tells Rails which session store to use. In my fork of devise_cas-authenticatable, I updated it again to work in Rails 3.1, but hadn't tested it thoroughly enough to send a pull request although I am using it in a production project and it's working fine. I've been unable to find a way to cleanly get at the SessionStore in Rails 3.1, so I gave up. Instead I just create a filter that needs to be added to ApplicationController. For example: "include DeviseCasAuthenticatable::SingleSignOut::StoreSessionIdFilter" This seems to be a much more reliable way to get at the session ID, although it's Rails specific. I rebased and retested the fork this morning to ensure it works with the latest changes. I went ahead and created a pull request to discuss this more effectively: Feel free to try out my branch and see if that works. Then we can clean it up and integrate if appropriate. |
Thanks for your work, seems to work for me. Personally I don't like the approach with a before_filter, which is why I'd opt-in to staying with the current approach, and changing it a little into a more OO pattern without Monkey Patches. |
Hey!
I'm using multiple Rails 3.2.3 apps which authenticate against a single rubycas-server using devise + devise_cas_authenticatable.
First, the authentication works great, thanks for all the hard work and affort you've put into the gem.
But when I enable the single-sign-out functionality in both the rubycas-server and devise_cas_authenticatable single-sign-out does not work. According to the rubycas-server logfile the sign-out notifications are posted to the correct services. I can validate that my applications are receiving the posted notifications, thus invoking
Devise::CasSessionsController#single_sign_out
.However, the user sessions are only destroyed in the application which initiated the original logout action.
In the other applications the log reads like this:
Using the logs I've traced the route the code takes through the gem and it turns out that the session-id as returned by
find_session_id_by_index
is nil. I have no idea why this is happening.Any thoughts on how I can debug this?
Kind regards & keep up the good work,
Raphael
The text was updated successfully, but these errors were encountered: