← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #36147

[Bug 1598976] [NEW] Mahara doesn't properly do MNet "kill_children" when Mahara is the IdP

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

When Mahara is doing SSO via MNet, and Mahara itself is the IdP, it
ought to log you out of any connected service providers when you log out
of Mahara. MNet allows for this via the "kill_child" API method, which
the IdP is supposed to call for each logged-in SP when a user logs out
of the IdP.

Mahara does implement a "kill_children" method, but it has a "TODO" in
the part where it's supposed to do "kill_child" for each SP.

To replicate:

1. Set up Mnet between a Moodle & Mahara site, with Mahara as the
identity provider. (i.e. users log in to Mahara and then roam over to
Moodle)

2. Log in to Mahara

3. In the "Network Servers" sideblock, click the link to roam over to
Moodle.

4. Open Mahara in a second tab.

5. In the second tab, log out of Mahara.

6. Go back to Moodle in the first tab and click around to see if you are
logged out.

Expected result: You should be logged out of Moodle

Actual result: You are not logged out of Moodle

** Affects: mahara
     Importance: Medium
     Assignee: Aaron Wells (u-aaronw)
         Status: In Progress


** Tags: mnet

** Information type changed from Public to Private Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1598976

Title:
  Mahara doesn't properly do MNet "kill_children" when Mahara is the IdP

Status in Mahara:
  In Progress

Bug description:
  When Mahara is doing SSO via MNet, and Mahara itself is the IdP, it
  ought to log you out of any connected service providers when you log
  out of Mahara. MNet allows for this via the "kill_child" API method,
  which the IdP is supposed to call for each logged-in SP when a user
  logs out of the IdP.

  Mahara does implement a "kill_children" method, but it has a "TODO" in
  the part where it's supposed to do "kill_child" for each SP.

  To replicate:

  1. Set up Mnet between a Moodle & Mahara site, with Mahara as the
  identity provider. (i.e. users log in to Mahara and then roam over to
  Moodle)

  2. Log in to Mahara

  3. In the "Network Servers" sideblock, click the link to roam over to
  Moodle.

  4. Open Mahara in a second tab.

  5. In the second tab, log out of Mahara.

  6. Go back to Moodle in the first tab and click around to see if you
  are logged out.

  Expected result: You should be logged out of Moodle

  Actual result: You are not logged out of Moodle

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1598976/+subscriptions
  Thread PreviousDate PreviousThread Next