Contrib.social

Possible redirect journey from logout to auto-login?

Open on Drupal.org →
Created on 24 February 2025, 3 months ago

Problem/Motivation

With certain settings combinations, clicking "logout" can send you on a redirect journey, at the end of which you are logged in again.

Right now this is a bit theoretical, but I am still reporting it.

The journey goes:
- User clicks a logout link, or submits the /user/logout/confirm
- Redirect to front page (Drupal core behavior).
- Path is rewritten to '/user/login', which is the core default setting for frontpage.
- With a force login setting, cas module redirects to the CAS server login url.
- With the user already logged in in the CAS server, they get auto logged in.

Steps to reproduce

Preparation:

  • Install Drupal in "minimal" profile.
    • Alternatively, install Drupal with "standard" profile, then set the front page (system.site:page.front) back to "/user/login", as is the default from system module.
  • Enable cas module.
  • In cas module settings:
    • Enable "Forced login" for "/user/login" path.
    • Configure a CAS server which does auto-login to the website if already logged in:
      • We can use cas_mock_server, but this does not do the auto-login if you are already logged in in CAS.
      • We observed this with ECAS / EU Login. But this only works if the development site has a compatible domain.
      • The "Gateway feature" from CAS module promises to do auto login, but it does not seem to work with cas_mock_server, AND with eulogin I have seen auto login without that setting enabled.
      • Alternatively, you can just imagine the auto-login to happen.

Steps:

  • Click a logout link, or visit /user/logout/confirm and click confirm.
  • If you see a CAS page with a prompt like "Do you want to get logged out of the CAS system?"

Actual behavior:
You get redirected to CAS and auto logged in.

Proposed resolution

A low-effort solution would be to describe the possible problem in the settings form of the CAS module.

However, for this we need a more real-world reproducible scenario.
If nobody else has encountered or reported this so far, perhaps it is not really a problem we need to address.

Until then, we can just keep this issue in "postponed" status. Or perhaps even close it.
Then people hopefully find it if they encounter this problem.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Postponed

Version

3.0

Component

CAS

Created by

🇩🇪Germany donquixote

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024