search

moodle-saml / auth

Moodle SAML Auth plugin
https://moodle.org/plugins/auth_saml
3 stars 21 forks source link

Unexpected logout behaviour when SLO is enabled #11

Open mfprimo opened 7 years ago

mfprimo commented 7 years ago

After logout, plain Moodle redirects the user to either the login page or the site index (from Moodle login/logout.php):

if ($login) {
    $redirect = get_login_url();
} else {
    $redirect = $CFG->wwwroot.'/';
}
//....
redirect($redirect);

This auth/saml plugin, instead, redirects the user to the current page (from Moodle SAML Auth plugin index.php):

            if(isset($_SERVER['SCRIPT_URI'])) {
                $urltogo = $_SERVER['SCRIPT_URI'];
                $urltogo = str_replace('auth/saml/index.php', '', $urltogo);
            }
            else if(isset($_SERVER['HTTP_REFERER'])) {
                $urltogo = $_SERVER['HTTP_REFERER'];
            }
            else{
                $urltogo = '/';
            }

            if($saml_param->dosinglelogout) {
                $as->logout($urltogo);
                assert("FALSE"); // The previous line issues a redirect
            } else {
                header('Location: '.$urltogo);
                exit();
            }

As result, Moodle present a logout behaviour different from usual user experience and in case of the current page is not accessible to anonymous user even an unexpected error.

Proposed solution: use the global $redirect variable to retain the usual Moodle behaviour.