Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62753

Fix Shibboleth back-channel logout for DB sessions

XMLWordPrintable

    • Any
    • MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • Hide
      1. Given a Moodle instance with:
        1. $CFG->dbsessions enabled and working;
        2. the shibboleth authentication module enabled;
        3. a user successfully logged in with shibboleth
      2. Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want.
      3. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID -

        #!/bin/sh
        HOST=dev.moodle.net
        URL=https://${HOST}/auth/shibboleth/logout.php
        SESSIONID=$1
         
        tmp=`mktemp`
        cat <<EOF > $tmp
        <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
          <s:Body>
            <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global">
              <SessionID>$SESSIONID</SessionID>
            </LogoutNotification>
          </s:Body>
        </s:Envelope>
        EOF
         
        curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL
        

      4. Run the bash script.
      5. Refresh the page, the user should be logged out.
      Show
      Given a Moodle instance with: $CFG->dbsessions enabled and working; the shibboleth authentication module enabled; a user successfully logged in with shibboleth Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - #!/bin/sh HOST=dev.moodle.net URL=https: //${HOST}/auth/shibboleth/logout.php SESSIONID=$ 1   tmp=`mktemp` cat <<EOF > $tmp <s:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/" >   <s:Body>     <LogoutNotification xmlns= "urn:mace:shibboleth:2.0:sp:notify" type= "global" >       <SessionID>$SESSIONID</SessionID>     </LogoutNotification>   </s:Body> </s:Envelope> EOF   curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL Run the bash script. Refresh the page, the user should be logged out.

      While at Moodle-DACH's DevCamp, together with tschroeder, we debugged MDL-61351 on an instance with DB sessions, which didn't work.

      The existing /auth/shibboleth/logout.php back-channel SLO (Single-Log-Out) just doesn't work with $CFG->dbsessions enabled, as it tries to read from an inexistant sessions2 table.

      The DB sessions logout has never been functioning correctly since at least Moodle 2.0.0-rc1, as the sessions2 table is a Moodle 1.9 artifact which was removed in the upgrade to Moodle 2.

            odyx Didier Raboud
            odyx Didier Raboud
            Mark Nelson Mark Nelson
            David Monllaó David Monllaó
            Simey Lameze Simey Lameze
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.