search

keitaroinc / ckanext-saml2auth

CKAN extension to enable Single Sign-On (SSO) for CKAN data portals via SAML2 Authentication.
GNU Affero General Public License v3.0
24 stars 31 forks source link

[BUG] Second CKAN Cookie in _logout Response #107

Open OfficialOwlElder opened 2 months ago

OfficialOwlElder commented 2 months ago

Please note that this happened after migrating our CKAN instance from an Ubuntu 20.04 machine to a Debian 12 machine and upgrading CKAN to the latest version of 2.10.

Describe the bug Upon logging out, the session cookie does not get deleted leaving the user still logged in. It seems that two cookies are sent in the _logout response. There is a difference in the domains, but as I understand this should not matter.

One domain starts with a dot: .subdomain.domain.com

where as the other is normal: subdomain.domain.com

Screenshot 2024-09-04 at 4 49 56 PM

The first Response Cookie is the expected cookie with the correct expiration date. The second cookie is being injected somewhere and replacing the original cookie. I have tried printing the all response headers in the logout() function and I only see the correct cookie: 

def logout(self):
    response = _perform_slo()
    if response:
        domain = h.get_site_domain_for_cookie()
        # Clear session cookie in the browser
        response.set_cookie('ckan', domain=domain, expires=datetime.utcnow() - timedelta(days=1))
        #response.set_cookie('ckan', expires=0)
        if not toolkit.check_ckan_version(min_version="2.10"):
            # CKAN <= 2.9.x also sets auth_tkt cookie
            response.set_cookie('auth_tkt', domain=domain, expires=0)

    for header_item in response.headers.items():
        print(header_item)
    return response

Please let me know if I can provide any additional information.

Thank you for your support.

ckanext-saml2auth version affected v1.1.0

Expected behaviour Upon logging out, one ckan cookie should be included in the _logout response setting the expiration time to 0.

Logs Everything in the logs looks normal for both ckan-worker and ckan-uwsgi.

mixmixmix commented 2 weeks ago

Do you have any workaround for it @OfficialOwlElder ? I might have hit the same issue (will inspect cookies to confirm), but my logs say: using 'logout_expected_binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', I see in logs:

2024-11-03 17:07:41,368 DEBUG [ckanext.saml2auth.plugin] Redirecting to the IdP to continue the logout process
2024-11-03 17:07:41,369 INFO  [ckanext.saml2auth.plugin] User miks<[redacted-email]> logged out successfully
2024-11-03 17:07:41,371 INFO  [ckan.config.middleware.flask_app]  302 /user/_logout render time 0.296 seconds

but in the CKAN site I'm still logged in! 😩

OfficialOwlElder commented 2 weeks ago

@mixmixmix Unfortunately, I was not able to figure out where the 2nd cookie is coming from so I couldn't find a workaround. This issue has been on the back burner for me since it is only affecting the logout. I am happy to help, though this one has me stumped.

mixmixmix commented 2 weeks ago

Thanks for a prompt response @OfficialOwlElder! My issue is slightly bit different as I'm not getting two cookies (maybe because I do not get redirect back from the Identity Provider?). However I managed to be able to fix the issue by removing domain parameter:

response.set_cookie("ckan", expires=0)

Now when re-visiting the site after the logout, I have a new cookie and the user is logged out.

I'm on 2.10.4.