Aha...
I found the phpCAS call handleLogoutRequests which does the same thing
I was doing by hand. After replacing my code with
phpCAS::handleLogoutRequests(true, array(.....)) it works just as
expected.
Problem solved.
Thanks,
--Karen
On Sep 22, 2009, at 4:56 PM, Karen Carter wrote:
> Hi,
>
> On Sep 18, 2009, at 8:35 AM, Marvin Addison wrote:
>
>>> Actually I discovered the POST is being received and somewhere
>>> down in file
>>> it must hit something it doesn't like. I put in some debugging
>>> statements
>>> at the beginning of the php file to determine the contents of the
>>> POST
>>> request.
>>
>> So is it the SAML LogoutRequest? Are you using the phpCAS client?
>> If
>> so, what version?
>>
> Yes, it is the SAML LogoutRequest I'm seeing.
>
> Yes, I am using the phpCAS client, version 2.0 (or at least I think
> that is the right version).
>
>>> The problem I seem to have now is php session management is cookie
>>> based and
>>> I don't think CAS works that way. I believe it expects session
>>> management
>>> to be done on the server-side.
>>
>> If you mean the SSO session, then yes, SSO in CAS is implemented
>> via a
>> cookie called TGC that contains the ticket-granting ticket ID.
>> Otherwise the session management implementation of a CAS client is
>> entirely independent of the CAS server. In any case if you're trying
>> to get single sign-out to work, you'll need to use a client that
>> supports it. If you'll clarify your application platform and which
>> CAS client you're using, we can give you further guidance if needed.
>>
>
>
> For my application I have a main page which handles login. Here is
> the phpCAS code I'm using:
>
> // phpCAS simple client
> phpCAS::setDebug('/tmp/kb.debug');
>
> // init phpCAS and start session
> phpCAS::client(CAS_VERSION_2_0, 'xxxx.xxxx.xxxx.xxxx', 443, '/cas',
> true);
>
> // no SSL validation for the CAS server
> phpCAS::setNoCasServerValidation();
>
> if (!phpCAS::isAuthenticated()) {
> phpCAS::forceAuthentication();
> }
> $_SESSION['prism_id'] = phpCAS::getUser();
>
>
> This gets me back a PHP $_SESSION which has the phpCAS array and
> other variables which I use for my application. I check my local
> session variables every time a page is loaded to make sure my local
> session is still valid. When I log out of my local session I clear
> the local session variables only.
>
> What I was having trouble with is handling the 'logout post' which
> CAS sends to my applicaiton if I log out of CAS through another
> application or if I logout through the cas logout server directly.
> I haven't been able to locate any examples on this and I haven't
> been able to find in phpCAS a function that does this for me. This
> being the case, I have this code at the beginning of my main page:
>
> if (isset($_REQUEST['logoutRequest'])) {
> // process CAS logout request and terminate session
> preg_match('/<samlp:SessionIndex>(.*)<\/samlp:SessionIndex>/',
> $_REQUEST['logoutRequest'], $matches);
> $ssid = preg_replace(array('/-/', '/\./'), '', $matches[1]);
> if ($ssid == '') { exit(); }
> $ssnm = session_name();
> $_COOKIE[$ssnm] = $ssid;
> session_start();
> $_SESSION = array();
> setcookie($ssnm, '', time()-42000, '/');
> session_destroy();
> exit();
> }
>
> The SessionIndex in the POST, after a bit of manipulation, is the
> php ssid for my application. Since the POST isn't sending a cookie
> with the ssid in it, I cheat and set it. This gives me the ability
> to grab the application's php session. Once I have this I can then
> erase all session variables, get rid of the cookie and end the php
> session.
>
> I have no idea if this is what I'm suppose to be doing but I do know
> that it works.
>
> Thanks,
> --Karen
>
> --
> Karen Carter ([email protected]) Georgia Institute of Technology
> Academic and Research Technologies Atlanta, Georgia 30332-0700
> Office of Information Technology 404-385-8349
>
>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Karen Carter ([email protected]) Georgia Institute of Technology
Academic and Research Technologies Atlanta, Georgia 30332-0700
Office of Information Technology 404-385-8349
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
