I was planning to submit a PR here today, but I've hit a roadblock. Setup:
We use django_cas_ng and our users auth against a CAS SSO system. When they click the Logout link on our site, they are logged out of the site AND redirected to our campus SSO system's logout page, which kills their ticket. This is important, especially for multi-user lab computers.
After installing django-session-security, clicking the Logout link manually still works normally. But if I let a user time out with DSS, they are logged out but they are NOT redirected to the SSO logout view. They stay on the site. In this state, the user can click the Login link again and be logged in automatically again without having to authenticate (because the CAS session ticket is still alive). That's bad.
So I started a PR that lets the dev set a custom logout URL. If present, the middleware.py adds a simple redirect after logout()
:
if delta >= timedelta(seconds=expire_seconds):
logout(request)
return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)
(this is in process_request()
). The problem is that the redirect never happens after timeout - the user is logged out but the page is not redirected to settings.LOGOUT_REDIRECT_URL
. I don't understand why.
If I modify it to go to the CAS logout page without performing an internal logout first:
if delta >= timedelta(seconds=expire_seconds):
return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)
Then a timeout logout does redirect, but if the user then tries to go back to the site (e.g. to log in as someone else), they're stuck in a loop eternally handing off to settings.LOGOUT_REDIRECT_URL, so they can't access the site at all.
I can't seem to make this work either way. Any idea what I'm missing here? It seems clear that No. 1 is what I want, but I can't figure out why the redirect never fires.
n.b. I also have code to call django_cas_ng's logout()
function rather than Django's, but that doesn't affect the problem - it's the same either way.