Affects Version/s: 2.9.5, 3.0.3
- Set up shibboleth auth
- Log in
- Log out
- Ensure you are actually logged out
- Install a soap client e.g. SOA Client for firefox
- Log in
- Send a SOAP log out request as described here https://wiki.shibboleth.net/confluence/display/SHIB2/SLOWebappAdaptation
Affected Branches:MOODLE_29_STABLE, MOODLE_30_STABLE
Fixed Branches:MOODLE_29_STABLE, MOODLE_30_STABLE
There is a regression in /auth/shibboleth/logout.php that was introduced by removing $HTTP_RAW_POST_DATA from the moodle source tree.
Old logic (e.g. 2.7 in this case) - line 35 in logout.php
New logic (3.0.3+ commit 80b5eb78ddba70a575b25048471f83e521ce3431) - line 35 in logout.php
As you can see, the logic is reversed now.
The regression was probably introduced by
I've set this to a security issue, because users might believe they are logged out even if they are not (though most likely they could have been informed by their logout software. If so the user still needs to read what the site tells him....).