Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61351

Shibboleth logout does not handle file sessions correctly

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Test 1
      1. Given a Moodle instance with:
        1. $CFG->dbsessions disabled.
        2. The shibboleth authentication module enabled.
        3. The value $CFG->session_file_save_path in your config.php to $CFG->dataroot . '/testshibsesh'.
        4. A user successfully logged in with shibboleth.
      2. Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want.
      3. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID -

        #!/bin/sh
        HOST=dev.moodle.net
        URL=https://${HOST}/auth/shibboleth/logout.php
        SESSIONID=$1
         
        tmp=`mktemp`
        cat <<EOF > $tmp
        <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
          <s:Body>
            <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global">
              <SessionID>$SESSIONID</SessionID>
            </LogoutNotification>
          </s:Body>
        </s:Envelope>
        EOF
         
        curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL
        

      4. Run the bash script.
      5. Refresh the page, the user should be logged out.
      Test 2
      1. Repeat Test 1 but with $CFG->dbsessions enabled.
      Show
      Test 1 Given a Moodle instance with: $CFG->dbsessions disabled . The shibboleth authentication module enabled. The value $CFG->session_file_save_path in your config.php to $CFG->dataroot . '/testshibsesh' . A user successfully logged in with shibboleth . Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - #!/bin/sh HOST=dev.moodle.net URL=https: //${HOST}/auth/shibboleth/logout.php SESSIONID=$ 1   tmp=`mktemp` cat <<EOF > $tmp <s:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/" > <s:Body> <LogoutNotification xmlns= "urn:mace:shibboleth:2.0:sp:notify" type= "global" > <SessionID>$SESSIONID</SessionID> </LogoutNotification> </s:Body> </s:Envelope> EOF   curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL Run the bash script. Refresh the page, the user should be logged out. Test 2 Repeat Test 1 but with $CFG->dbsessions enabled .
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE
    • Pull from Repository:
    • Pull 3.4 Branch:
    • Pull 3.5 Branch:
    • Pull Master Branch:
      MDL-61351_master

      Description

      the file in question is auth/shibboleth/logout.php

      within that file there is a function called LogoutNotification in which the problem lies.

      to determine the type of session the $CFG->dbsessions variable is consulted and if false, a file based session is assumed. further, the path to the session directory is a hardcoded path off of $CFG->dataroot, which is not always the case. in my instance, the variable $CFG->dbsesssions returns 1 but the system runs just fine off of file based sessions. this variable is not set by me in my config.php

      this bug can be duplicated by setting up file based sessions with shibboleth authentication. in my particular setup, the shibboleth config variable logout_return_url is also set.

      then, when logging out, there will be exceptions thrown like this:

      Default exception handler: 
      Error reading from database Debug: Table 'moodle2_dev.mdl_sessions2' doesn't exist
      SELECT sesskey, sessdata FROM mdl_sessions2 WHERE expiry > NOW()
      [array (
      )]
      Error code: dmlreadexception
      * line 486 of /lib/dml/moodle_database.php: dml_read_exception thrown
      * line 1198 of /lib/dml/mysqli_native_moodle_database.php: call to moodle_database->query_end()
      * line 176 of /auth/shibboleth/logout.php: call to mysqli_native_moodle_database->get_records_sql()
      * line ? of unknownfile: call to LogoutNotification()
      * line 43 of /auth/shibboleth/logout.php: call to SoapServer->handle()
      

      and the progress to the logout_return_url is interrupted by the exception thrown when looking for database sessions that do not exist.

      that is what happens. in the browser, it seems that the logout only half completes.

      what i want to happen is for the moodle session to be removed and to continue on to the logout_return_url.

      will try to attach a patch that fixes this issue with this bug.

       

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Sep/18