mnet: mahara doesn't implement kill_child which results in not being logged out when logged out from a remote IdP over mnet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Aaron Wells | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Unassigned | ||
16.04 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When Mahara is doing SSO via MNet, with a remote IdP, it ought to log you out of Mahara when you log out of the IdP. MNet allows for this via the "kill_child" API method, which the IdP will call for each connected service provider to tell it to log a user out.
Mahara never implemented this method, so it doesn't log you out properly when you log out of the IdP.
To replicate:
1. Set up MNet between a Moodle & Mahara site, with Moodle as the identity provider (i.e. users log in to Moodle and then roam over to Mahara)
2. Log in to Moodle
3. Roam over to Mahara
4. Open up Moodle in another tab.
5. Log out of Moodle.
6. Go back to the tab with Mahara and try to navigate around in the site.
Expected result: You can't navigate around because you're logged out of Mahara
Actual result: You are not logged out of Mahara
CVE References
Changed in mahara: | |
status: | New → Confirmed |
Changed in mahara: | |
assignee: | nobody → Son Nguyen (ngson2000) |
Changed in mahara: | |
milestone: | 1.7.0 → 1.8.0 |
description: | updated |
description: | updated |
Changed in mahara: | |
milestone: | none → 16.10.0 |
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
If we keep dragging our feet on this one, MNet replacement should solve the problem for us. ;)