[SingleSignOut] Loop when use CasAuthentication.SingleSignOut in ActionResult

apereo / dotnet-cas-client

Apereo .NET CAS Client

Apache License 2.0

234 stars 172 forks source link

[SingleSignOut] Loop when use CasAuthentication.SingleSignOut in ActionResult #110

Open KhanhVanCong opened 4 years ago

KhanhVanCong commented 4 years ago

Hi team,

Now, I have an issue with logout from project ASP.NET MVC 5.
In the backend, I have a controller with ActionResult as below

public ActionResult Logout() { CasAuthentication.SingleSignOut(); return RedirectToAction("Index", "Home"); }

I have a tag <a href="~/logout"> when user click this tag to logout, it will call ActionResult Logout and execute single sign out . Next, they redirect to CAS server login with URL 'url_cas?service=url_redirect_logout'.
We have a problem here, they will loop sign out (call again ActionResult Logout) when the user successfully log in again because the 'url_redirect_logout' will be redirected.
I see your code in function CasAuthentication.SingleSignOut, you use HttpContext.Current.Request in function ConstructServiceUrl, it will get the current request, specifically, in my case, it will get URL logout.
So, Could you suggest me some solutions to resolve this problem? I hope to hear from your team soon. Thank you so much.

phantomtypist commented 3 years ago

I'm not sure I fully understand here. Can you clearly detail a reproduction scenario for me? Step by step please with as much detail as possible, clearly.

JanairoRio commented 3 years ago

Hi pretty clear and i have the same problem . After logout ( with CasAuthentication.SingleSignOut(); on a ResultAction) we got the the SSo connection page with on the url a redirection to our logout ActionResult , we excpeted to have our HomePage.

TheHokieCoder commented 3 years ago

@JanairoRio I believe that when you use the SingleSignOut() method:

That method is performing a redirect via the HTTP request object for you...there is no need or purpose to manually redirecting like @KhanhVanCong included in their code snippet. (see the SingleSignOut() method code)
The method is redirecting to the configured single sign out endpoint for your CAS server, which will help destroy the single sign on session for the user. If there is to be any redirecting after that, it needs to be done by your CAS server because, at that point, the user is no longer in your web application. Do take note that simply "logging out" of your web application and performing a CAS "single sign out" are two different concepts, and I believe is the reason for your confusion about the redirects after calling SingleSignOut().

If I am incorrect in my assumptions about the issue that you are reporting, please provide more detail about the controller actions that are involved, including full method code, as well as your DotNetCasClient configuration from web.config (but please scrub any configuration details that are sensitive to your configuration). Hope this helps!

AlfMX commented 1 year ago

Have same issue:

In my controller, have the method:

` [HttpGet]

public ActionResult LogOut()

{

   CASAuthorize.ClearSession(HttpContext);

   if (DotNetCasClient.CasAuthentication.GetFormsAuthenticationTicket() != null)

   {

       DotNetCasClient.CasAuthentication.SingleSignOut();

   }

   return View();

} `

When the users click the button to call the method "https://localhost:44301/Home/LogOut"

The final result is the page:

https://casserver/cas/login?service=https%3a%2f%2flocalhost%3a44301%2fHome%2fLogOut

Here, the user can enter its username/password, but, because the service parameters is redirecting to the LogOut method, the user is logged out again.

So, the question, is it a way to change the service parameter to he home page? Thanks