Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62753

Fix Shibboleth back-channel logout for DB sessions

    XMLWordPrintable

    Details

    • Database:
      Any
    • Testing Instructions:
      Hide
      1. Given a Moodle instance with:
        1. $CFG->dbsessions enabled and working;
        2. the shibboleth authentication module enabled;
        3. a user successfully logged in with shibboleth
      2. Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want.
      3. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID -

        #!/bin/sh
        HOST=dev.moodle.net
        URL=https://${HOST}/auth/shibboleth/logout.php
        SESSIONID=$1
         
        tmp=`mktemp`
        cat <<EOF > $tmp
        <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
          <s:Body>
            <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global">
              <SessionID>$SESSIONID</SessionID>
            </LogoutNotification>
          </s:Body>
        </s:Envelope>
        EOF
         
        curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL
        

      4. Run the bash script.
      5. Refresh the page, the user should be logged out.
      Show
      Given a Moodle instance with: $CFG->dbsessions enabled and working; the shibboleth authentication module enabled; a user successfully logged in with shibboleth Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - #!/bin/sh HOST=dev.moodle.net URL=https: //${HOST}/auth/shibboleth/logout.php SESSIONID=$ 1   tmp=`mktemp` cat <<EOF > $tmp <s:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/" >   <s:Body>     <LogoutNotification xmlns= "urn:mace:shibboleth:2.0:sp:notify" type= "global" >       <SessionID>$SESSIONID</SessionID>     </LogoutNotification>   </s:Body> </s:Envelope> EOF   curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL Run the bash script. Refresh the page, the user should be logged out.
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE
    • Pull from Repository:
    • Pull 3.4 Branch:
      mdl34_MDL-62753
    • Pull 3.5 Branch:
      mdl35_MDL-62753
    • Pull Master Branch:

      Description

      While at Moodle-DACH's DevCamp, together with Tim Schroeder, we debugged MDL-61351 on an instance with DB sessions, which didn't work.

      The existing /auth/shibboleth/logout.php back-channel SLO (Single-Log-Out) just doesn't work with $CFG->dbsessions enabled, as it tries to read from an inexistant sessions2 table.

      The DB sessions logout has never been functioning correctly since at least Moodle 2.0.0-rc1, as the sessions2 table is a Moodle 1.9 artifact which was removed in the upgrade to Moodle 2.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Sep/18