Reputation: 377
How can I get SimpleSAMLphp 1.17.2 to log the user out of my website? It worked in SSP 1.16.3
I am using SimpleSAMLphp (SSP) to handle authentication for my Yii website (via a remote IdP), and version 1.16.3 has been working fine. However, when I update my composer.json file and pull in version 1.17.2, the local PHP session on my website is no longer destroyed, leaving the user logged in. (The user is successfully logged out of the IdP, however.)
I did some Googling, and reviewed discussions that looked relevant:
- The change in how session IDs are generated, to comply with PHP config.
- Documentation about a mismatch between PHP session settings for the application and SimpleSAMLphp (as a possible source for session-related errors).
- The need to give PHP and SimpleSAMLphp different session cookie names: https://github.com/simplesamlphp/simplesamlphp/issues/365#issuecomment-212351265
I also reviewed some discussions in the SimplSAMLphp mailing list:
- https://groups.google.com/d/topic/simplesamlphp/k0AhOO8LLSk/discussion
- https://groups.google.com/d/topic/simplesamlphp/x8d53SkhEhE/discussion
In addition, I tracked the logout process using SSP 1.16.3 and 1.17.2 recording each Cookie header in requests, Set-Cookie header in responses, and session files in existence at multiple steps along the way, which showed some distinct differences... but I don't know what to conclude from this information.
When I begin the logout process on my website (which is built using Yii 1.x)...
- I start by bringing up a clean docker container of my website, opening a fresh private Firefox window, and opening SAML Tracer. I verify that no session files currently exist on the server (i.e. in the new docker container).
- I go through the login process.
- 1.16.3 and 1.17.2 behave almost identically. At the end of the login process...
- For both, my PHP session cookie's session file exists and is 7722 bytes.
- 1.16.3: My SSP session cookie's session file exists and is 2294 bytes.
- 1.17.2: My SSP session cookie's session file exists and is 2302 bytes.
- 1.16.3 and 1.17.2 behave almost identically. At the end of the login process...
- I go to
/auth/logout/on my site, and the browser dutifully sends along my current PHP (PHPSESSID) and SSP (SimpleSAML) session cookies.- 1.16.3: no Set-Cookie headers are returned.
- 1.17.2: a Set-Cookie header is returned for the SSP session cookie, but the value is the same as it was before.
- I am redirected offsite (to the remote IdP) as part of the logout process.
- I am returned to
/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp?SAMLRequest=…(and along go current PHP and SSP session cookies).- 1.16.3: a Set-Cookie header is returned for the SSP session cookie, but the value is the same as it was before.
- 1.17.2: two different Set-Cookie headers are returned for the SSP session cookie, neither of which matches the previous value.
- I am redirected offsite again, as a further step in the SAML logout process.
- I am returned to
/(the root of my site), with my (unchanged) PHP session cookie and (most recent) SSP session cookie.- 1.16.3:
- a Set-Cookie header is returned for the PHP session cookie, giving it a new value.
- the session file for the previous PHP session cookie has been deleted from the server.
- the session file for the new PHP session cookie is empty.
- the session file for the most recent SSP session cookie is 474 bytes.
- I am no longer logged in on my website.
- 1.17.2:
- no Set-Cookie headers are returned, for either the PHP or the SSP session cookie.
- the session file for the PHP session cookie is 7722 bytes.
- the session file for the SSP session cookie is 338 bytes.
- I am still logged in on my website (but not on the IdP).
- 1.16.3:
I can (sort of) alleviate the problem by telling Yii during the logout process to return an empty value for the PHP session cookie (PHPSESSID) and set it to expire an hour ago, but since that leaves the session file itself still in place, that approach seems unsatisfactory.
Given that information, does anyone have any ideas or pointers on where I could look next to try to determine what might be causing this?
As things stand, I don't know if this is a result of me using Yii incorrectly, me using SSP incorrectly, or a bug in SSP 1.17.2.
I have not yet managed to distill this down to a minimal, reproducible example, and I apologize for that. The code is open source, though I doubt anyone wants to go digging through it:
- This commit of my code is how I tested SSP 1.16.3:
https://github.com/silinternational/developer-portal/tree/2fa781f8bbdf9bb248038e18af64b024eb9a67e1 - This commit of my code is how I tested SSP 1.17.2:
https://github.com/silinternational/developer-portal/tree/e581cbe0f309786cc99eab296896c8c7bdb29b99
Upvotes: 1
Views: 2233
Answers (1)
Reputation: 377
It turns out that I simply needed to tell SimpleSAML's Session class to do some cleanup, after which the PHP function session_name() resumed returning my application's session name ('PHPSESSID') rather than SimpleSAMLphp's session name ('SimpleSAML'). That allowed my application's logout code to kill the correct session, fixing my ability to log the user out of my application.
Here was the code change that fixed it for me:
$sspSession = \SimpleSAML\Session::getSessionFromRequest();
$sspSession->cleanup();
Upvotes: 1
Related Questions
- SimpleSAMLphp Stay Logged In
- How to logout from simplesamlphp
- SimpleSAMLphp overwrites PHP (Zend) session, doesn't happen with older SimpleSAMLphp version
- Is there a good SimpleSAMLphp SLO example?
- SimpleSAMLphp not redirecting on logout
- When user signs out from SAML Service provider, it does not logs out user from the Salesforce Identity provider
- How to logout from shibboleth
- What is the proper way for a user to log out from simpleSAMLphp?
- Using simplesamlphp 1.10 with cakePHP 2.3 not working
- Simplesamlphp check if user has session on IdP