I've noticed, with the updated CAS module available here , that if we don't have "Logout CAS" option set to "Yes", users who click logout will simply return to their login page, not logged out.
It seems the ticket is not destroyed upon logging out of Moodle. An alternate way to view this is seen following these steps:
log in as user A to CAS
enter Moodle, which authenticates as user A through CAS
log out of CAS and Moodle
log in as user B to CAS
enter Moodle, which authenticates again as user A through CAS
Is there a way to destroy that ticket on logout from the CAS?
Goodness, I should've previewed that.
the steps to see the problem are:
-log in as user A to CAS
-enter Moodle (authenticated through CAS), close (don't log out) Moodle
-log out of CAS
-log in as user B to CAS
-enter Moodle, and you are user A still
the steps to see the problem are:
-log in as user A to CAS
-enter Moodle (authenticated through CAS), close (don't log out) Moodle
-log out of CAS
-log in as user B to CAS
-enter Moodle, and you are user A still
Hi Paul,
The scenario you described is correct. Moodle is still with user A, I am also facing the same issue. Did you found any solution? As by today 2 years has passed with your post
without any solution.
Cheers!
The scenario you described is correct. Moodle is still with user A, I am also facing the same issue. Did you found any solution? As by today 2 years has passed with your post
Cheers!
I've just tested, and it works "as expected". Once you log in into Moodle (either via CAS or any other authentication method), Moodle issues you a session cookie that remembers who you are (from Moodle's point of view).
If you don't remove that cookie (either by closing all the browser windows or by manually deleting it from the browser store), you are still logged in into Moodle as the original user. As you are logged in, Moodle doesn't try to authenticate you via CAS (or any other method), so you keep being the original user all the time.
It doesn't matter if you logout from CAS and destroy the CAS ticket. As long as you don't delete Moodle's cookie, you are still the original user.
If you click on Moodle's logout link, you remove that session cookie. But if you have configured Moodle to force users to login even to see the front page, as soon as you logout you are forced to login again, which in turn triggers CAS authentication process.
Unless you've destroyed the CAS ticket as part of Moodle's logout process (which you can do by setting 'Logout CAS' to 'yes' in the CAS auth settings, as Paul Nuffer points out), you get re-authenticated in Moodle as the original CAS user instantly again.
I hope this enlightens the issue a bit
Saludos. Iñaki.
Hi Iñak,
Yes you are right, moodle keeps its own cookies, so like if user is logged in CAS system but if moodle cookie is not there moodle will say you are not logged in. But when we click on login link on top. It checks the CAS cookie or ticket and than it says you are looged in.
So one major issue is can't we check this on front page only, when user comes to moodle, so without clicking on login link we can tell the user that you are logged in, because user is already logged in CAS.
And same for the logout process can't we clear the moodle cookie while we logout from CAS, even I tried to change the cookie path in server settings in moodle, but the cookies name are different by both the systems so it did not help.
Still thinking for the same. Its really important, as Google does the same.
Cheers,
Jaswant
Yes you are right, moodle keeps its own cookies, so like if user is logged in CAS system but if moodle cookie is not there moodle will say you are not logged in. But when we click on login link on top. It checks the CAS cookie or ticket and than it says you are looged in.
So one major issue is can't we check this on front page only, when user comes to moodle, so without clicking on login link we can tell the user that you are logged in, because user is already logged in CAS.
And same for the logout process can't we clear the moodle cookie while we logout from CAS, even I tried to change the cookie path in server settings in moodle, but the cookies name are different by both the systems so it did not help.
Still thinking for the same. Its really important, as Google does the same.
Cheers,
Jaswant
You could use one of the later versions of cas, which supports single-sign-out and the newer versions of phpcas, which also support this feature. Unfortunately, the CAS authentication plugin for Moodle would have to be re-written to support this as well.
We have been debating doing this for a while now, but there is no consensus at LSU on how this is supposed to work. Until it is mandated that Moodle supports single-sign-out, we are leaving it as it is and instructing people to log out of Moodle.
We do have "CAS logout" enabled in Moodle.
We have been debating doing this for a while now, but there is no consensus at LSU on how this is supposed to work. Until it is mandated that Moodle supports single-sign-out, we are leaving it as it is and instructing people to log out of Moodle.
We do have "CAS logout" enabled in Moodle.
Hi, any update on this? as Moodle still doesn't support Single-Sign-Out.
If I signout from CAS, my session in Moodle doesn't terminate.
My guess is, that when you use CAS to create a moodle session, moodle doesn't care if your CAS session is a minute from expiring or you're going to logout of it. Its sole concern is 'is there a valid CAS session for me to log a user in SSO style'.
And that is far more fundamental a challenge, possibly almost impossible to fix.
I think there is a solution to it and people have made it working for them. It makes sense and I will also try it out tomorrow.
http://jasig.275507.n4.nabble.com/single-sign-out-with-phpCAS-td264075.html
So one major issue is can't we check this on front page only, when user comes to moodle, so without clicking on login link we can tell the user that you are logged in, because user is already logged in CAS.
If you want this, you can set 'Force users to login' to yes in Administration >> Security >> Site Policies. This forces the login process as soon as you hit the front page (or any other page, for the matter).
Regarding the logout, I'm not sure this is possible without changing the code (as Robert says).
Saludos. Iñaki.
The problem with 'Force users to login' is, guests will also have to create account. If I want to show the available courses on front page, visitor will not be able to see those courses without creating account and login.
That's the issue, and yes I agree with your words if we set 'Force users to login' moodle will say you are looged in, if user is logged in CAS.
Jaswant
That's the issue, and yes I agree with your words if we set 'Force users to login' moodle will say you are looged in, if user is logged in CAS.
Jaswant