SAML logout flow does not remove SSO cookie
Concerned version
Version: 2.0.6
Platform: Nginx + FastCGI + SAML
Summary
When doing a front-channel SAML logout with the HTTP-Redirect flow, the SSO Cookie is not removed.
The session is correctly terminated, meaning that the SSO cookie will not be valid next time the user tries to interact with the portal, but the user will see a "session expired" message even though he did logout correctly.
This is caused by the SAML Issuer forging the redirect request directly and ignoring any response headers set previously in the logout flow:
# Send response depending on request method
# HTTP-REDIRECT
if ( $method == Lasso::Constants::HTTP_METHOD_REDIRECT ) {
# Redirect user to response URL
my $slo_url = $logout->msg_url;
return [ 302, [ Location => $slo_url ], [] ];
}
POST logout is affected as well, it seems like the changes to the $req object are lost right after
$self->p->do( $req, [ @{ $self->p->beforeLogout }, 'deleteSession' ] );