Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Post-logout redirect never fires
See original GitHub issueI was planning to submit a PR here today, but I’ve hit a roadblock. Setup:
We use django_cas_ng and our users auth against a CAS SSO system. When they click the Logout link on our site, they are logged out of the site AND redirected to our campus SSO system’s logout page, which kills their ticket. This is important, especially for multi-user lab computers.
After installing django-session-security, clicking the Logout link manually still works normally. But if I let a user time out with DSS, they are logged out but they are NOT redirected to the SSO logout view. They stay on the site. In this state, the user can click the Login link again and be logged in automatically again without having to authenticate (because the CAS session ticket is still alive). That’s bad.
So I started a PR that lets the dev set a custom logout URL. If present, the middleware.py adds a simple redirect after logout():
if delta >= timedelta(seconds=expire_seconds):
logout(request)
return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)
(this is in process_request()). The problem is that the redirect never happens after timeout - the user is logged out but the page is not redirected to settings.LOGOUT_REDIRECT_URL. I don’t understand why.
If I modify it to go to the CAS logout page without performing an internal logout first:
if delta >= timedelta(seconds=expire_seconds):
return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)
Then a timeout logout does redirect, but if the user then tries to go back to the site (e.g. to log in as someone else), they’re stuck in a loop eternally handing off to settings.LOGOUT_REDIRECT_URL, so they can’t access the site at all.
I can’t seem to make this work either way. Any idea what I’m missing here? It seems clear that No. 1 is what I want, but I can’t figure out why the redirect never fires.
n.b. I also have code to call django_cas_ng’s logout() function rather than Django’s, but that doesn’t affect the problem - it’s the same either way.
Issue Analytics
- State:
- Created 7 years ago
- Comments:62 (36 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
If you call
logoutfrom a view, you would normally return the response. As you can see here (links to an older version of Django because the interface recently changed), one of the possible responses conveys redirect information. As you saw, the middleware does not return the response. All it does is trigger the database-side processing for the logout.But the “answer” isn’t to change session security because the application cannot be responsible for timing out the SSO credential… the SSO server needs to do that. Consider the simplest case:
Because User A’s SSO session is still alive, User B is routed to the User A’s email. There’s nothing that session security can do to take care of this. The SSO server needs to timeout the SSO session.
The application also needs a timeout so application sessions don’t outlast the SSO sessions (by more than the timeout), but session security already handles this.
@claytondaley : It worked in the production. Thank you for the help.