Bug #37
Mis à jour par Benjamin Dauvergne il y a presque 11 ans
when using the HTTP-Get method for logout (redirection are done inside
<html:img/> tags) the redirections ends on the singleLogoutReturn callback.
Those callback load the current session dump from the session, handle the
LogoutResponse with process_response_msg which also remove an assertion from
the LassoSession object, then store the new session_dump inside the authentic
session.
If execution of the singleLogoutReturn are non concurent, everything should be
fine, but that will not be the case with the current architecture of authentic.
So at the end the state of session.lasso_session_dump will be
non-deterministic, when it should be empty.
That's not a big problem but he could bite us someday.
The solution used for SAMLv2 should be adopted, i.e. a single logout page able to do SOAP and redirect using images.
<html:img/> tags) the redirections ends on the singleLogoutReturn callback.
Those callback load the current session dump from the session, handle the
LogoutResponse with process_response_msg which also remove an assertion from
the LassoSession object, then store the new session_dump inside the authentic
session.
If execution of the singleLogoutReturn are non concurent, everything should be
fine, but that will not be the case with the current architecture of authentic.
So at the end the state of session.lasso_session_dump will be
non-deterministic, when it should be empty.
That's not a big problem but he could bite us someday.
The solution used for SAMLv2 should be adopted, i.e. a single logout page able to do SOAP and redirect using images.