Single logout breaks with multiple sessions

Right now, single logout will assemble a list of recent ServiceTickets for the current user which it then invalidates one-by-one. It uses the extremely basic check to only look at tickets created for the user since last login:

django-mama-cas/mama_cas/models.py

Lines 207 to 218 in 03935d9

    
               def request_sign_out(self, user): 
        
                   """ 
        
                   Send a single logout request to each service accessed by a 
        
                   specified user. This is called at logout when single logout 
        
                   is enabled. 
        
                   If requests-futures is installed, asynchronous requests will 
        
                   be sent. Otherwise, synchronous requests will be sent. 
        
                   """ 
        
                   session = Session() 
        
                   for ticket in self.filter(user=user, consumed__gte=user.last_login): 
        
                       ticket.request_sign_out(session=session)

This logic breaks as soon as the user signs in from two devices or browsers. When signing in to the second device, the user irreversibly overwrites their last login timestamp. Even if the session based on the first ticket signs out it will only invalidate the second ticket, because the first one was issued before the last login.

This seems like really bad behaviour from mama_cas, as it's quite to likely to miss tickets to invalidate, making the logout process unreliable.

In our application we have adjusted the signout logic as follows:

We use a maximum session lifetime of a few hours for all service sessions created by tickets
When logging out, we search for all the tickets:
- that belong to the user signing out
- that were issued within the (largest) maximum session lifetime

This ensures that all "child" sessions for this user have either been captured because they were from within the last few hours, or we are sure they have expired at the service because their lifetime is limited.

I just discovered the same behavior and agree with @beheh that current behavior is quite bad.

Hi @beheh, sorry for the late reply.

The idea of checking all user valid tickets looks great, would you like to create a PR o share the relevant code here?

	def request_sign_out(self, user):
	"""
	Send a single logout request to each service accessed by a
	specified user. This is called at logout when single logout
	is enabled.

	If requests-futures is installed, asynchronous requests will
	be sent. Otherwise, synchronous requests will be sent.
	"""
	session = Session()
	for ticket in self.filter(user=user, consumed__gte=user.last_login):
	ticket.request_sign_out(session=session)