Hi,
On Sep 18, 2009, at 8:35 AM, Marvin Addison wrote:
>> Actually I discovered the POST is being received and somewhere down
>> in file
>> it must hit something it doesn't like. I put in some debugging
>> statements
>> at the beginning of the php file to determine the contents of the
>> POST
>> request.
>
> So is it the SAML LogoutRequest? Are you using the phpCAS client? If
> so, what version?
>
Yes, it is the SAML LogoutRequest I'm seeing.
Yes, I am using the phpCAS client, version 2.0 (or at least I think
that is the right version).
>> The problem I seem to have now is php session management is cookie
>> based and
>> I don't think CAS works that way. I believe it expects session
>> management
>> to be done on the server-side.
>
> If you mean the SSO session, then yes, SSO in CAS is implemented via a
> cookie called TGC that contains the ticket-granting ticket ID.
> Otherwise the session management implementation of a CAS client is
> entirely independent of the CAS server. In any case if you're trying
> to get single sign-out to work, you'll need to use a client that
> supports it. If you'll clarify your application platform and which
> CAS client you're using, we can give you further guidance if needed.
>
For my application I have a main page which handles login. Here is
the phpCAS code I'm using:
// phpCAS simple client
phpCAS::setDebug('/tmp/kb.debug');
// init phpCAS and start session
phpCAS::client(CAS_VERSION_2_0, 'xxxx.xxxx.xxxx.xxxx', 443, '/cas',
true);
// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();
if (!phpCAS::isAuthenticated()) {
phpCAS::forceAuthentication();
}
$_SESSION['prism_id'] = phpCAS::getUser();
This gets me back a PHP $_SESSION which has the phpCAS array and other
variables which I use for my application. I check my local session
variables every time a page is loaded to make sure my local session is
still valid. When I log out of my local session I clear the local
session variables only.
What I was having trouble with is handling the 'logout post' which CAS
sends to my applicaiton if I log out of CAS through another
application or if I logout through the cas logout server directly. I
haven't been able to locate any examples on this and I haven't been
able to find in phpCAS a function that does this for me. This being
the case, I have this code at the beginning of my main page:
if (isset($_REQUEST['logoutRequest'])) {
// process CAS logout request and terminate session
preg_match('/<samlp:SessionIndex>(.*)<\/samlp:SessionIndex>/',
$_REQUEST['logoutRequest'], $matches);
$ssid = preg_replace(array('/-/', '/\./'), '', $matches[1]);
if ($ssid == '') { exit(); }
$ssnm = session_name();
$_COOKIE[$ssnm] = $ssid;
session_start();
$_SESSION = array();
setcookie($ssnm, '', time()-42000, '/');
session_destroy();
exit();
}
The SessionIndex in the POST, after a bit of manipulation, is the php
ssid for my application. Since the POST isn't sending a cookie with
the ssid in it, I cheat and set it. This gives me the ability to grab
the application's php session. Once I have this I can then erase all
session variables, get rid of the cookie and end the php session.
I have no idea if this is what I'm suppose to be doing but I do know
that it works.
Thanks,
--Karen
--
Karen Carter ([email protected]) Georgia Institute of Technology
Academic and Research Technologies Atlanta, Georgia 30332-0700
Office of Information Technology 404-385-8349
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
