-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post-logout redirect never fires #93
Comments
Perhaps because it's an ajax request ? Maybe the fix also involves a tiny bit of JS ;) I'm not really sure about problem 2, perhaps an example app in the test project would help ? |
Maybe I'm not following how this works - are you saying that this python is converted to ajax? Our logout system is not doing any ajax. Not sure we need a full test app here - testing is as simple as adding two lines to middleware.py:
Then let it time out. The first print statement will fire, the second will not. Or am I misunderstanding? |
Perhaps logout raises an exception that is later caught ?
No ajax ? Have you seen this ?
https://github.com/yourlabs/django-session-security/#how-does-it-work-
|
Ah, I wasn't clear whether you were suggesting that our SSO logout app was ajax-based or whether you meant the ajax aspects of DSS. I'm aware that DSS is doing ajax exchange, but it's not doing it at this point in the code, which is all Python, right? So it's still not clear to me - why doesn't any python after |
Django's auth.logout() does not swallow exceptions, nor does django_cas_ng's, and we've never had a problem with logout crashing. There are no 500s in runserver console or in browser console indicating any problem there, so I don't think logout is raising an exception. |
K, can you use a debugger like pdb and step in logout to discover where it
goes
Le 21 mars 2017 8:11 PM, "Scot Hacker" <notifications@github.com> a écrit :
… Django's auth.logout() does not swallow exceptions, nor does
django_cas_ng's, and we've never had a problem with logout crashing. There
are no 500s in runserver console or in browser console indicating any
problem there, so I don't think logout is raising an exception.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#93 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFxrE1ZIkm8NRiBcViyVTLe-YVGHTumks5roCDngaJpZM4MjMQR>
.
|
OK, I've just had a very long session trying to debug this. Starting with pdb in middleware.py, then injecting pdb - and print statements - directly into Django's logout function, stepping through with n, then a much deeper dive with s, watching every step of the way and trying to figure out where it's going wrong. I just cannot figure out where it's getting derailed. No errors - It just doesn't redirect. To simplify, I'm leaving django_cas_ng out of the picture and just dealing with django's logout function. I then tried another approach. Realized that you're doing:
you can pass in So rather than
I tried:
No difference - same problem. To make sure there is nothing odd going on in my somewhat complex project, I then did a fresh pip install into a new/clean Django project, and tried the same modifications to middleware.py. Same results. This is a weird one. Quite a rabbit hole, and I'm running out of ideas. Are you able to reproduce this? |
FWIW here's the tail end of a pdb session, just before and after where it claims to be doing the redirect:
|
To be clear on my goal here: If I can successfully call django_cas_ng's logout() function, it should handle the redirect. But I can't call it, just as I can't call a redirect after Django's own logout func. The experiments above with manual redirects are because I'm trying alternative approaches. |
We're going to to take another approach to this and not use django-session-security, but thanks for your time. I'm still curious about the solution to this if anyone is able to figure it out. |
@shacker: I have the same issue. django_cas_ng logout doesn't get fired on Ajax request on timeout. |
If you call But the "answer" isn't to change session security because the application cannot be responsible for timing out the SSO credential... the SSO server needs to do that. Consider the simplest case:
Because User A's SSO session is still alive, User B is routed to the User A's email. There's nothing that session security can do to take care of this. The SSO server needs to timeout the SSO session. The application also needs a timeout so application sessions don't outlast the SSO sessions (by more than the timeout), but session security already handles this. |
@claytindaley:
|
Let me start by clarifying that I don't use CAS so I'm referring to SSO principles in general. The application probably works one of two ways (determined by the plugin that manages Django auth):
However, you would expect the timer on the SSO session to be reset each time the application reauthenticates. It follows that you shouldn't be abruptly terminated by either approach (unless the SSO timeout is shorter than the application reauth time). |
Can you screenshot the logout call that that works? The screenshot you provided shows a 403 (permission denied) error. I assume the logout wasn't successful (which would explain why the subsequent login worked). Compare the two URLs and make sure they are exactly the same. |
Please ignore CAS Middleware and some other print statements. I have added print statements for debugging. |
If you're using Chrome's developer tools, use this option to retain a log of all of the redirects during a logout: Click the manual logout button and screenshot the entry that successfully logs the user out of the SSO server. I want to confirm that you don't get a 403 on that redirect... and hopefully you can compare the URL and find a difference. |
I assume the two 403 calls are against the IP/domain of your SSO server, but maybe you should verify that as well. |
Oh I assumed that was the AJAX not the logout button. So that's what happens when you press logout... and the user is successfully logged out (of the SSO server)? Or that's what happens when you press the logout button and it doesn't work? |
Yes. I'm asking you to snapshot the browser history when the user manually logs out. I want to compare those calls to the AJAX calls. I'm betting something is different. |
Can you scroll up and find the call to the actual SSO server? The tail end of the logs look to be the information about the current page (js libraries and such). |
You're looking for a call like you see in the AJAX... something like "logout/?service=..." |
I mean scroll up in the browser history... in the chrome developer tools window you just screenshoted. |
SSO logs are not saved for some reason in browser |
That says "login". Any chance you didn't clear the logs before clicking logout? |
Hmm. It looks like there are some headers in your request detail. Can you compare the headers in the successful and unsuccessful request and see if there are any differences? |
You mean request headers? |
Yes. The SO question was suggesting that an XHR request may not carry the right headers. That seemed like the next most-obvious thing to compare. I'd look at the headers first and then the cookies. If you were missing authentication information in one of these places, it would explain your issue. |
Also did you try debugging the logout view ? You could also print the request headers from there. |
This is starting to sound like a CSRF (cross site request forgery) issue. You're allowed to send the request using the browser, but prohibited from sending the request using JavaScript. |
@claytondaley : As you mentioned, it should be with the request header. Below are the screen shots of request headers for AJAX and normal href(onclick request) browser logs |
Fig 16 says it's "login" not logout |
@claytondaley : I tried replacing the context-type and datatype in the AJAX call, but no luck Fig 19: Modified AJAX call code |
OK. (The relevant screenshot appears to have been deleted but) It looks like the cookies are missing from the call that fails (and present in the call that succeeds). That makes sense as authentication information is often carried in cookies. |
I don't think the content type is what matters. I think you need to get the cookies into the request. For CSRF reasons, I'm not sure the browser will ever do so automatically. I suggest trying to replace the AJAX call with a full page redirect. |
|
I think it's failing because the authentication cookies are missing. Even if you wanted to fix it, I'm not sure if you have access to the right cookies in your JavaScript (for security reasons). If you can get the right cookies and get them included... that would be great. If you can't, I'm suggesting changing the way the redirect is handled. |
If this solves your issue, we may want to consider a change to session security, but I'd want you to confirm that it's working for you first. |
I'm honestly not sure. If you look here, there's already code to do a full page redirect. If Can you show me the code where you instantiate the sessionSecurity JS script? For example:
or
|
@jpic, do we need to add
Obviously, the SSO server should also have a timeout, but it definitely sounds like the OP was properly configured for the behavior he (and @santosh9991) needs. |
You're making it happen <3 You have all the holy blessings you could daydream of to hack the source code. May the source be withy ou. |
@santosh9991 can you try the code in PR #101. All you should need to do is add the setting |
@claytondaley Will try and let you know |
@santosh9991 Don't bother testing yet. I got around to writing a test case and have some issues. I'll let you know when they're resolved and push an update. |
OK test cases now pass so @santosh9991, you should be good to go. You'll need to add |
@claytondaley : Is the latest build available on pip? if not, can you please guide me where to pull the code from. |
If you pull from https://github.com/claytondaley/django-session-security you should get a |
@santosh9991 Did you test the PR? Did it work? If so, please let us know so we can consider merging it. |
@claytondaley : It worked in the production. Thank you for the help. |
This has been merged to master |
I was planning to submit a PR here today, but I've hit a roadblock. Setup:
We use django_cas_ng and our users auth against a CAS SSO system. When they click the Logout link on our site, they are logged out of the site AND redirected to our campus SSO system's logout page, which kills their ticket. This is important, especially for multi-user lab computers.
After installing django-session-security, clicking the Logout link manually still works normally. But if I let a user time out with DSS, they are logged out but they are NOT redirected to the SSO logout view. They stay on the site. In this state, the user can click the Login link again and be logged in automatically again without having to authenticate (because the CAS session ticket is still alive). That's bad.
So I started a PR that lets the dev set a custom logout URL. If present, the middleware.py adds a simple redirect after
logout()
:(this is in
process_request()
). The problem is that the redirect never happens after timeout - the user is logged out but the page is not redirected tosettings.LOGOUT_REDIRECT_URL
. I don't understand why.If I modify it to go to the CAS logout page without performing an internal logout first:
Then a timeout logout does redirect, but if the user then tries to go back to the site (e.g. to log in as someone else), they're stuck in a loop eternally handing off to settings.LOGOUT_REDIRECT_URL, so they can't access the site at all.
I can't seem to make this work either way. Any idea what I'm missing here? It seems clear that No. 1 is what I want, but I can't figure out why the redirect never fires.
n.b. I also have code to call django_cas_ng's
logout()
function rather than Django's, but that doesn't affect the problem - it's the same either way.The text was updated successfully, but these errors were encountered: