Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62753

Fix Shibboleth back-channel logout for DB sessions

    XMLWordPrintable

Details

    • Any
    • MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • Hide
      1. Given a Moodle instance with:
        1. $CFG->dbsessions enabled and working;
        2. the shibboleth authentication module enabled;
        3. a user successfully logged in with shibboleth
      2. Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want.
      3. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - 

        #!/bin/sh
        		 
        HOST=dev.moodle.net
        		 
        URL=https://${HOST}/auth/shibboleth/logout.php
        		 
        SESSIONID=$1
        		 
         
        		 
        tmp=`mktemp`
        		 
        cat <<EOF > $tmp
        		 
        <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
        		 
          <s:Body>
        		 
            <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global">
        		 
              <SessionID>$SESSIONID</SessionID>
        		 
            </LogoutNotification>
        		 
          </s:Body>
        		 
        </s:Envelope>
        		 
        EOF
        		 
         
        		 
        curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL

      4. Run the bash script.
      5. Refresh the page, the user should be logged out.
      Show
      Given a Moodle instance with: $CFG->dbsessions enabled and working; the shibboleth authentication module enabled; a user successfully logged in with shibboleth Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - #!/bin/sh HOST=dev.moodle.net URL=https: //${HOST}/auth/shibboleth/logout.php SESSIONID=$ 1   tmp=`mktemp` cat <<EOF > $tmp <s:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/" >   <s:Body>     <LogoutNotification xmlns= "urn:mace:shibboleth:2.0:sp:notify" type= "global" >       <SessionID>$SESSIONID</SessionID>     </LogoutNotification>   </s:Body> </s:Envelope> EOF   curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL Run the bash script. Refresh the page, the user should be logged out.

    Description

      While at Moodle-DACH's DevCamp, together with tschroeder, we debugged MDL-61351 on an instance with DB sessions, which didn't work.

      The existing /auth/shibboleth/logout.php back-channel SLO (Single-Log-Out) just doesn't work with $CFG->dbsessions enabled, as it tries to read from an inexistant sessions2 table.

      The DB sessions logout has never been functioning correctly since at least Moodle 2.0.0-rc1, as the sessions2 table is a Moodle 1.9 artifact which was removed in the upgrade to Moodle 2.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-61351 Shibboleth logout does not handle file sessions correctly

          • Minor - Minor loss of function where workaround is possible
          • Closed
          Discovered while testing

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-61351 Shibboleth logout does not handle file sessions correctly

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has a non-specific relationship to

          Improvement - An enhancement to an existing Moodle feature. MDL-64976 Shibboleth logout suboptimal and logout implementation for RedisI

          • Minor - Minor loss of function where workaround is possible
          • Open
          will help resolve

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-34482 shibboleth logout handler is broken in several ways

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              odyx Didier Raboud
              odyx Didier Raboud
              Mark Nelson Mark Nelson
              David Monllaó David Monllaó
              Simey Lameze Simey Lameze
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                10/Sep/18