diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-02-26 15:25:07 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-03-23 14:14:56 -0400 |
| commit | c84eaa4d5f44524ea37f8c2444cbd53520d75a0c (patch) | |
| tree | f1e901e34d38a3b903c2b8cb60f264b037732144 | |
| parent | cacb41e93b377496e77f824f4f1b0ce206da0bed (diff) | |
| download | ipsilon-c84eaa4d5f44524ea37f8c2444cbd53520d75a0c.tar.gz ipsilon-c84eaa4d5f44524ea37f8c2444cbd53520d75a0c.tar.xz ipsilon-c84eaa4d5f44524ea37f8c2444cbd53520d75a0c.zip | |
When a new logout session is received, save old session ids
When a new login session is received and an existing session
exists in logout, save the old session IDs.
These will be included in the sessions to logout of the SP.
This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.
https://fedorahosted.org/ipsilon/ticket/64
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
| -rw-r--r-- | ipsilon/providers/saml2/logout.py | 4 | ||||
| -rw-r--r-- | ipsilon/providers/saml2/sessions.py | 20 |
2 files changed, 23 insertions, 1 deletions
diff --git a/ipsilon/providers/saml2/logout.py b/ipsilon/providers/saml2/logout.py index 46aea6e..da8edcf 100644 --- a/ipsilon/providers/saml2/logout.py +++ b/ipsilon/providers/saml2/logout.py @@ -225,6 +225,10 @@ class LogoutRequest(ProviderPageBase): raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s ' % e) + # Now set the full list of session indexes to log out + req = logout.get_request() + req.setSessionIndexes(tuple(set(session.session_indexes))) + session.set_logoutstate(logout.msgUrl, logout.request.id, None) us.save_provider_data('saml2', saml_sessions) diff --git a/ipsilon/providers/saml2/sessions.py b/ipsilon/providers/saml2/sessions.py index 50b9a14..fb1f646 100644 --- a/ipsilon/providers/saml2/sessions.py +++ b/ipsilon/providers/saml2/sessions.py @@ -26,6 +26,13 @@ class SAMLSession(Log): provider_id - ID of the SP session - the Login session object logoutstate - dict containing logout state info + session_indexes - the IDs of any login session we've seen + for this user + + When a new session is seen for the same user any existing session + is thrown away. We keep the original session_id though and send + all that we've seen to the SP when performing a logout to ensure + that all sessions get logged out. logout state is a dictionary containing (potentially) these attributes: @@ -41,6 +48,7 @@ class SAMLSession(Log): self.provider_id = provider_id self.session = session self.logoutstate = logoutstate + self.session_indexes = [session_id] def set_logoutstate(self, relaystate, request_id, request=None): self.logoutstate = dict(relaystate=relaystate, @@ -49,6 +57,7 @@ class SAMLSession(Log): def dump(self): self.debug('session_id %s' % self.session_id) + self.debug('session_index %s' % self.session_indexes) self.debug('provider_id %s' % self.provider_id) self.debug('session %s' % self.session) self.debug('logoutstate %s' % self.logoutstate) @@ -80,10 +89,19 @@ class SAMLSessionsContainer(Log): Drop any existing sessions that might exist for this provider. We have no control over the SP's so if it sends us another login, accept it. + + If an existing session exists drop it but keep a copy of + its session index. When we logout we send ALL session indexes + we've received to ensure that they are all logged out. """ samlsession = SAMLSession(session_id, provider_id, session) - self.remove_session_by_provider(provider_id) + old_session = self.find_session_by_provider(provider_id) + if old_session is not None: + samlsession.session_indexes.extend(old_session.session_indexes) + self.debug("old session: %s" % old_session.session_indexes) + self.debug("new session: %s" % samlsession.session_indexes) + self.remove_session_by_provider(provider_id) self.sessions[provider_id] = samlsession self.dump() |