Contrib.social

Autologout destroys session cookie, preventing other modules from being able to sign user back in

Open on Drupal.org β†’
Created on 16 September 2022, almost 2 years ago
Updated 4 October 2023, 11 months ago

Problem/Motivation

We have found in using Autologout in conjunction with the OpenID Connect module, when the user is logged out after closing the tab/window, the session cookie is destroyed in the same request that is used in that module to log the user back in properly.

Steps to reproduce

1. Install and setup both Autologout and OpenID Connect (or similar) with an SSO.
2. With Autologout enabled, close all tabs to the site.
3. Open up the site and log in as normal.
4. The redirect back from your SSO will have an access denied error.

Proposed resolution

The request from Autologout should either be halted or separated from other potential uses of the session cookie, IE using a redirect after the logout. (We are using the hook into user logout to redirect users: from https://www.drupal.org/project/autologout/issues/3310136 ✨ Create ability to hook into the user logout RTBC )

Remaining tasks

To add a redirect or find a way to halt the session destroy request.

πŸ› Bug report
Status

Postponed: needs info

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States RyanCMcConnell

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 11 months ago β†’
    admirlju

    I was also unable to reproduce this issue. I'm testing with Drupal 9.5, the latest dev version of automated logout, and a stable version of OpenID Connect configured to use the GitHub client.

    I've tested using Firefox and Chrome. Both just closing the tabs, fully closing the browser, or waiting for the timeout to occur. I simply can not reproduce it.

    Could you please provide some more information? What OpenID connect client are you using? How did you configure the Automated logout module?

    Postponing the issue for now.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024