-
Notifications
You must be signed in to change notification settings - Fork 397
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
phpCAS is not handling logout requests when behind a load balancer #311
Comments
I guess this can also be done on the web server end? Of course it would be nice if a extendable method of getting IP address can be added, or add a new config of "whitelist IP ranges" (while this will make the whole library a bit complicated). |
The challenge with logout is that there is that phpcas is lightweight and has no persistent "storage" to map a logout request to a phpcas session. Phpcas cheats by having a direct mapping from SessionTicket -> php session (Technically a hash + secret). Having this logout work depends on a user and logout call (not from user directly but originating from the CAS server) ending up on the same web farm instance. This is usually the issue since all loadbalancer magic around sticky sessions does not help due to the different origins of the requests. Unless you have a shared php session storage between the nodes you have to use one of our very rarely used phpcas features that is called "Rebroadcast". I have never used it myself and not sure what the quality is. You can see it in the examples and source doc:
|
On a basic level, couldn't you do:
As far as the "Rebroadcast" if the request comes into a different node than the end user is on, which jfritschi mentioned above, I feel that that's a separate issue. But yes, that's a good point. Thanks for the link to the proxy example |
Hello @jfritschi I tried testing the code I mentioned in my last comment and that seems to work for getting the actual client_ip instead of the load balancer's IP. Should I create a PR? Also, as far as the CAS logout request not going to the same node in the cluster, yes, I confirmed that that is an issue. Then I tried adding the rebroadcast call as you suggested,
but that caused some errors:
Any ideas about that? |
Here's another question... would it be possible for the CAS Single Logout POST request to add additional info about the 'canonical' hostname of the CAS server? e.g the main CAS hostname? Either as post data or in the SAML message? That way if the 'real' cas hosts (behind the cas load balancer) change, we won't need to update $cas_real_hosts in our config.php... the phpCAS logout request handler would then check the validity of the request against the main hostname (instead of the 'real' hosts? |
@austin48 Sorry for the late reply, not sure if this is still relevant.
I would prefer having a single function to get IP address, and extending it if needed, OR having a configuration to control the behavior. If an app is not behind a LB, making this as a default will make it not secure.
Probably a bug?
Is there a specification about this in SAML or CAS protocal specification? However I think it may be worth moving the validation part out of the |
If moving |
@jgribonvald It has been a long time so I don't quite remember the detail, but I think it should be fine. Please feel free to make a pull request if you want :-) |
$cas_real_hosts = array('cas-real-1.example.com', 'cas-real-2.example.com');
I suspect this is due to Client.php
$client_ip = $_SERVER['REMOTE_ADDR'];
which if your app is behind a load balancer, will return the load balancer's IP instead of the end user's ip. Instead, Client.php should check all the x-forwarded-for, etc. headers and try to find the real IP address. for example: https://stackoverflow.com/questions/44085102/php-most-accurate-safe-way-to-get-real-user-ip-address-in-2017
see also, https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/Wte7lwmYkkc
The text was updated successfully, but these errors were encountered: