Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62753

Fix Shibboleth back-channel logout for DB sessions

    XMLWordPrintable

    Details

    • Database:
      Any
    • Testing Instructions:
      Hide
      1. Given a Moodle instance with:
        1. $CFG->dbsessions enabled and working;
        2. the shibboleth authentication module enabled;
        3. a user successfully logged in with shibboleth
      2. Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want.
      3. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - 

        #!/bin/sh
        		 
        HOST=dev.moodle.net
        		 
        URL=https://${HOST}/auth/shibboleth/logout.php
        		 
        SESSIONID=$1
        		 
         
        		 
        tmp=`mktemp`
        		 
        cat <<EOF > $tmp
        		 
        <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
        		 
          <s:Body>
        		 
            <LogoutNotification xmlns="urn:mace:shibboleth:2.0:sp:notify" type="global">
        		 
              <SessionID>$SESSIONID</SessionID>
        		 
            </LogoutNotification>
        		 
          </s:Body>
        		 
        </s:Envelope>
        		 
        EOF
        		 
         
        		 
        curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL

      4. Run the bash script.
      5. Refresh the page, the user should be logged out.
      Show
      Given a Moodle instance with: $CFG->dbsessions enabled and working; the shibboleth authentication module enabled; a user successfully logged in with shibboleth Find that user's Shibboleth Session ID (from the browser using console to inspect the headers). It can look like "_shibsession_64656661756c7468747470733a2f2f6c6f63616c686f73742f70722f73686962626f6c657468=_47d2e8208c3d89b8bc3ff5dd854dc681" the "_47d2e8208c3d89b8bc3ff5dd854dc681" is what you want. Create a test.sh file in your wwwroot and add the following (make sure to replace HOST and SESSIONID - #!/bin/sh HOST=dev.moodle.net URL=https: //${HOST}/auth/shibboleth/logout.php SESSIONID=$ 1   tmp=`mktemp` cat <<EOF > $tmp <s:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/" >   <s:Body>     <LogoutNotification xmlns= "urn:mace:shibboleth:2.0:sp:notify" type= "global" >       <SessionID>$SESSIONID</SessionID>     </LogoutNotification>   </s:Body> </s:Envelope> EOF   curl -X POST -H "Content-Type: text/xml" --data-binary @$tmp $URL Run the bash script. Refresh the page, the user should be logged out.
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE
    • Pull from Repository:
    • Pull 3.5 Branch:
      mdl35_MDL-62753
    • Pull 3.5 Diff URL:
    • Pull Master Branch:
    • Pull Master Diff URL:

      Description

      While at Moodle-DACH's DevCamp, together with Tim Schroeder, we debugged MDL-61351 on an instance with DB sessions, which didn't work.

      The existing /auth/shibboleth/logout.php back-channel SLO (Single-Log-Out) just doesn't work with $CFG->dbsessions enabled, as it tries to read from an inexistant sessions2 table.

      The DB sessions logout has never been functioning correctly since at least Moodle 2.0.0-rc1, as the sessions2 table is a Moodle 1.9 artifact which was removed in the upgrade to Moodle 2.

        Attachments

          Issue Links

          blocks

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-61351 Shibboleth logout does not handle file sessions correctly

          • Minor - Minor loss of function where workaround is possible
          • Closed
          Discovered while testing

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-61351 Shibboleth logout does not handle file sessions correctly

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has a non-specific relationship to

          Improvement - An enhancement to an existing Moodle feature. MDL-64976 Shibboleth logout suboptimal and logout implementation for RedisI

          • Minor - Minor loss of function where workaround is possible
          • Open
          will help resolve

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-34482 shibboleth logout handler is broken in several ways

          • Minor - Minor loss of function where workaround is possible
          • Closed

            Activity

              People

              Assignee:
              odyx Didier Raboud
              Reporter:
              odyx Didier Raboud
              Peer reviewer:
              Mark Nelson
              Integrator:
              David Monllaó
              Tester:
              Simey Lameze
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                10/Sep/18