mnet: mahara doesn't implement kill_child which results in not being logged out when logged out from a remote IdP over mnet

Bug #1084336 reported by Hugh Davenport on 2012-11-29
278
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Mahara
Medium
Aaron Wells
15.04
Medium
Unassigned
15.10
Medium
Unassigned
16.04
Medium
Unassigned

Bug Description

When Mahara is doing SSO via MNet, with a remote IdP, it ought to log you out of Mahara when you log out of the IdP. MNet allows for this via the "kill_child" API method, which the IdP will call for each connected service provider to tell it to log a user out.

Mahara never implemented this method, so it doesn't log you out properly when you log out of the IdP.

To replicate:

1. Set up MNet between a Moodle & Mahara site, with Moodle as the identity provider (i.e. users log in to Moodle and then roam over to Mahara)
2. Log in to Moodle
3. Roam over to Mahara
4. Open up Moodle in another tab.
5. Log out of Moodle.
6. Go back to the tab with Mahara and try to navigate around in the site.

Expected result: You can't navigate around because you're logged out of Mahara

Actual result: You are not logged out of Mahara

CVE References

Changed in mahara:
status: New → Confirmed
Son Nguyen (ngson2000) on 2013-01-28
Changed in mahara:
assignee: nobody → Son Nguyen (ngson2000)
Son Nguyen (ngson2000) on 2013-03-14
Changed in mahara:
milestone: 1.7.0 → 1.8.0
Aaron Wells (u-aaronw) wrote :

If we keep dragging our feet on this one, MNet replacement should solve the problem for us. ;)

Changed in mahara:
importance: High → Medium
milestone: 1.8.0rc1 → none
assignee: Son Nguyen (ngson2000) → nobody
Aaron Wells (u-aaronw) wrote :

I'm going to take a quick try at fixing this, using the information supplied on the two duplicate bug reports Bug #1084347 and Bug #1598664.

Changed in mahara:
assignee: nobody → Aaron Wells (u-aaronw)
Aaron Wells (u-aaronw) wrote :

To replicate:

1. Set up MNet between a Moodle & Mahara site, with Moodle as the identity provider (i.e. users log in to Moodle and then roam over to Mahara)
2. Log in to Moodle
3. Roam over to Mahara
4. Open up Moodle in another tab.
5. Log out of Moodle.
6. Go back to the tab with Mahara and try to navigate around in the site.

Expected result: You can't navigate around because you're logged out of Mahara

Actual result: You are not logged out of Mahara

Aaron Wells (u-aaronw) wrote :
Aaron Wells (u-aaronw) on 2016-07-05
description: updated
description: updated
Changed in mahara:
milestone: none → 16.10.0
Robert Lyon (robertl-9) on 2016-07-11
Changed in mahara:
status: Confirmed → In Progress

Reviewed: https://reviews.mahara.org/6647
Committed: https://git.mahara.org/mahara/mahara/commit/2837542d07b07e1e43fd1841166af0e7edd7cc0d
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 2837542d07b07e1e43fd1841166af0e7edd7cc0d
Author: Aaron Wells <email address hidden>
Date: Tue Jul 5 12:19:42 2016 +1200

Bug 1084336: Implement MNet "kill child"

If you're logged in to Mahara via a remote IdP,
when you log out on the IdP it will try to invoke
this method to log you out of Mahara.

Change-Id: Ia11250b408ba594aaa179478cd67d5499cd1e2c8
behatnotneeded: Can't test Mnet in Behat yet

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6698
Committed: https://git.mahara.org/mahara/mahara/commit/8654c56dcbe0cd325b9bea4ed914dc869c6ee949
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 8654c56dcbe0cd325b9bea4ed914dc869c6ee949
Author: Aaron Wells <email address hidden>
Date: Tue Jul 5 12:19:42 2016 +1200

Bug 1084336: Implement MNet "kill child"

If you're logged in to Mahara via a remote IdP,
when you log out on the IdP it will try to invoke
this method to log you out of Mahara.

Change-Id: Ia11250b408ba594aaa179478cd67d5499cd1e2c8
behatnotneeded: Can't test Mnet in Behat yet

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6699
Committed: https://git.mahara.org/mahara/mahara/commit/c6a72f8145a72d8d20955769c42325da6bffbb3e
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit c6a72f8145a72d8d20955769c42325da6bffbb3e
Author: Aaron Wells <email address hidden>
Date: Tue Jul 5 12:19:42 2016 +1200

Bug 1084336: Implement MNet "kill child"

If you're logged in to Mahara via a remote IdP,
when you log out on the IdP it will try to invoke
this method to log you out of Mahara.

Change-Id: Ia11250b408ba594aaa179478cd67d5499cd1e2c8
behatnotneeded: Can't test Mnet in Behat yet

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6700
Committed: https://git.mahara.org/mahara/mahara/commit/4aab3a18cb0b261a4a8074e34b642f18fef91012
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 4aab3a18cb0b261a4a8074e34b642f18fef91012
Author: Aaron Wells <email address hidden>
Date: Tue Jul 5 12:19:42 2016 +1200

Bug 1084336: Implement MNet "kill child"

If you're logged in to Mahara via a remote IdP,
when you log out on the IdP it will try to invoke
this method to log you out of Mahara.

Change-Id: Ia11250b408ba594aaa179478cd67d5499cd1e2c8
behatnotneeded: Can't test Mnet in Behat yet

Robert Lyon (robertl-9) on 2016-07-11
Changed in mahara:
status: In Progress → Fix Committed
information type: Private Security → Public Security
William (williamchan19) wrote :

Dear Sir,

I upgrade Mahara 15.10.4
I also use both Moodle 2.9.x version and 3.1.1 to test this issue

However, same problem is happened and seems mahara isn't still logout after logout in moodle.

Regards,
                   William

Aaron Wells (u-aaronw) wrote :

Hi William,

I tested it just now with an installation of Moodle 3.1.1 and a Mahara instance on 15.10.4, and it worked as expected. Specifically, I followed the test case described here, and got the expected result: https://bugs.launchpad.net/mahara/+bug/1084336/comments/3

Can you confirm if that test case isn't working for you, or if you're talking about a different test case?

Cheers,
Aaron

Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers