evilscientress
commented
5 years ago I just discovered the same behavior and agree with @beheh that current behavior is quite bad.
Open beheh opened 5 years ago
evilscientress
commented
5 years ago I just discovered the same behavior and agree with @beheh that current behavior is quite bad.
manelclos
commented
3 years ago Hi @beheh, sorry for the late reply.
The idea of checking all user valid tickets looks great, would you like to create a PR o share the relevant code here?
Right now, single logout will assemble a list of recent
ServiceTicketsfor the current user which it then invalidates one-by-one. It uses the extremely basic check to only look at tickets created for the user since last login:https://github.com/jbittel/django-mama-cas/blob/03935d97442b46d8127ab9e1cd8deb96953fe156/mama_cas/models.py#L207-L218
This logic breaks as soon as the user signs in from two devices or browsers. When signing in to the second device, the user irreversibly overwrites their last login timestamp. Even if the session based on the first ticket signs out it will only invalidate the second ticket, because the first one was issued before the last login.
This seems like really bad behaviour from
mama_cas, as it's quite to likely to miss tickets to invalidate, making the logout process unreliable.In our application we have adjusted the signout logic as follows:
This ensures that all "child" sessions for this user have either been captured because they were from within the last few hours, or we are sure they have expired at the service because their lifetime is limited.