Contrib.social

Users get redirected to a seemingly random URL on session expiry

Open on Drupal.org β†’
Created on 16 January 2018, almost 7 years ago
Updated 14 April 2021, over 3 years ago

I'm seeing some odd behaviour on a site where some users (maybe due to browser settings?) are having their sessions expire / somehow become invalidated on browser close.

<!--break-->

The side effect of this is that they:

  1. Open browser
  2. Open bookmark which deep links into the site
  3. Drupal detects that the session is expired / invalid (not sure exactly which)
  4. simplesamlphp_auth_user_logout() triggers
  5. The user is redirected back to either logout_goto_url in simplesamlphp_auth.settings OR base_path().

This is pretty confusing from the users perspective - they've opened a bookmark to page XYZ and instead have been confronted with page ABC.

simplesamlphp_auth.module:

function simplesamlphp_auth_user_logout($account) {
  $logout_url = \Drupal::config('simplesamlphp_auth.settings')->get('logout_goto_url');
  [...]
  if ($logout_url) {
    $simplesaml->logout($logout_url);
  }
  else {
    $simplesaml->logout();
  }
}

SimplesamlphpAuthManager:

  public function logout($redirect_path = NULL) {
    if (!$redirect_path) {
      $redirect_path = base_path();
    }
    $this->instance->logout($redirect_path);
  }
πŸ› Bug report
Status

RTBC

Version

3.0

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia George Bills

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States johns996 Marquette, MI

    Commenting here to indicate that #12 is compatible with 4.0.0 running on Drupal 10.1.

  • Status changed to Needs work about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mikelutz Michigan, USA

    I don't think this is the right approach here. Currently the redirect to the base_url isn't happening in the logout hook, it's happening in the event subscriber that checks for session expiry. 

      /**
   * Logs out user if not SAML authenticated and local logins are disabled.
   *
   * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
   *   The subscribed event.
   */
  public function checkAuthStatus(RequestEvent $event) {
    if ($this->account->isAnonymous()) {
      return;
    }

    if (!$this->simplesaml->isActivated()) {
      return;
    }

    if ($this->simplesaml->isAuthenticated()) {
      return;
    }

    if ($this->config->get('allow.default_login')) {

      $allowed_uids = explode(',', $this->config->get('allow.default_login_users'));
      if (in_array($this->account->id(), $allowed_uids)) {
        return;
      }

      $allowed_roles = $this->config->get('allow.default_login_roles');
      if (array_intersect($this->account->getRoles(), $allowed_roles)) {
        return;
      }
    }

    if ($this->config->get('debug')) {
      $this->logger->debug('User %name not authorized to log in using local account.', ['%name' => $this->account->getAccountName()]);
    }
    user_logout();

    $response = new RedirectResponse('/', RedirectResponse::HTTP_FOUND);
    $event->setResponse($response);
    $event->stopPropagation();

  }

    Since the logout hook no longer redirects when isAuthenticated() returns false, we are falling back to the redirect response to the event here, redirecting back to the homepage. It seems like we should leave the logout hook alone, and handle redirecting on session expiry here in the event. I can also see a need for this to be configurable, or at the very least a bit smarter. If feels like in most cases the user should be redirected to the login page, and then returned to the current url after logging in, though I could see use cases where a site might want to just let them view the page as anonymous without being redirected. I have a need to solve this this week, so I'll open a MR with my solution soon.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mikelutz Michigan, USA
  • @mikelutz opened merge request.
  • Pipeline finished with Success
    about 1 year ago
    Total: 287s
    #50923
  • Comment 22 days ago β†’
    πŸ‡§πŸ‡¬Bulgaria pfrenssen Sofia

    The current MR !28 will redirect any request to a HTML login page but this will cause problems for requests that accept MIME types other than HTML (e.g. JSON:API / GraphQL / image styles / aggregated CSS files / streamed media / ...)

    I think it would be safer to simply reload the page so it is served to the anonymous user. While redirecting a logged out user to the login form is valid in many use cases, it is better to leave this to specialized modules that are better suited to this task (like Redirect 403 to User Login).

  • Merge request !39Reload the current page when the auth session expires. β†’ (Open) created by pfrenssen
  • Pipeline finished with Failed
    22 days ago
    Total: 143s
    #350924
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024