Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62753

Fix Shibboleth back-channel logout for DB sessions

    XMLWordPrintable

Details

    • Any
    • MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • Hide
      1. Given a Moodle instance with:
        1. $CFG->dbsessions enabled and working;
        2. the shibboleth authentication module enabled;
        3. a user successfully logged in with shibboleth
      2. Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want.
      3. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID -

        #!/bin/sh
        HOST=dev.moodle.net
        URL=https://${HOST}/auth/shibboleth/logout.php
        SESSIONID=$1
         
        tmp=`mktemp`
        cat <<EOF > $tmp
        <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
          <s:Body>
            <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global">
              <SessionID>$SESSIONID</SessionID>
            </LogoutNotification>
          </s:Body>
        </s:Envelope>
        EOF
         
        curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL
        

      4. Run the bash script.
      5. Refresh the page, the user should be logged out.
      Show
      Given a Moodle instance with: $CFG->dbsessions enabled and working; the shibboleth authentication module enabled; a user successfully logged in with shibboleth Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - #!/bin/sh HOST=dev.moodle.net URL=https: //${HOST}/auth/shibboleth/logout.php SESSIONID=$ 1   tmp=`mktemp` cat <<EOF > $tmp <s:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/" >   <s:Body>     <LogoutNotification xmlns= "urn:mace:shibboleth:2.0:sp:notify" type= "global" >       <SessionID>$SESSIONID</SessionID>     </LogoutNotification>   </s:Body> </s:Envelope> EOF   curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL Run the bash script. Refresh the page, the user should be logged out.

    Description

      While at Moodle-DACH's DevCamp, together with tschroeder, we debugged MDL-61351 on an instance with DB sessions, which didn't work.

      The existing /auth/shibboleth/logout.php back-channel SLO (Single-Log-Out) just doesn't work with $CFG->dbsessions enabled, as it tries to read from an inexistant sessions2 table.

      The DB sessions logout has never been functioning correctly since at least Moodle 2.0.0-rc1, as the sessions2 table is a Moodle 1.9 artifact which was removed in the upgrade to Moodle 2.

      Attachments

        Issue Links

          Activity

            People

              odyx Didier Raboud
              odyx Didier Raboud
              Mark Nelson Mark Nelson
              David Monllaó David Monllaó
              Simey Lameze Simey Lameze
              David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10/Sep/18