Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 444519

Summary: Centralized logout process
Product: Community Reporter: Denis Roy <denis.roy>
Component: WebsiteAssignee: Christopher Guindon <chris.guindon>
Status: CLOSED MOVED QA Contact:
Severity: enhancement    
Priority: P3 CC: chris.guindon, david_williams, eric.poirier
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:
Bug Depends on:    
Bug Blocks: 298467, 411348    

Description Denis Roy CLA 2014-09-18 13:32:02 EDT 
After some testing, we realized invalidating sessions for all our sites (Bugzilla, Forums...) from a cookie perspective would be complicated since dev.eclipse.org (and www) cannot override cookie data in different paths/subdomains.  This is a good thing.

One thing we considered is to use SQL to remove the user's session information in the Bugzilla, Forums and Gerrit tables.  This will effectively log users out, but it will log them out from every computer they may be logged into.  From dev.eclipse.org (or eclipse.org) we can't read the individual cookie values for each site.

delete from forum.sessions where email = "joe@eclipse.org";
delete from gerrit.sessions where email = "joe@eclipse.org";
delete from bugs.sessions where email = "joe@eclipse.org";

For now, we can do two things:

- the logout page (dev.eclipse.org/site_login/logout.php) will tell you that you need to log out from Bugzilla, Gerrit and Forums (and perhaps increase the auto-refresh delay a bit).

- if possible, hitting "log out" from forums, wiki and others could redirect to dev.eclipse.org/site_login/logout.php to invalidate more sessions than just the forums or wiki
Comment 1 Denis Roy CLA 2016-09-08 08:38:15 EDT 
cc'ing the web dev team here, in case they have ideas.

Nothing urgent, mind you.
Comment 2 Christopher Guindon CLA 2016-09-08 09:43:17 EDT 
This problems is coming to our drupal too with the implementation of openid connect.

I am currently planing to do the following for our drupal sites:

After the user's login on the server or logout on any of the network sites,
the current site starts a redirect chain that visits the SSO script of each site in the network.

The SSO script then sets a cookie notifying the parent site of the pending login / logout.

When the user visits the actual site, the cookie is read, and the user logged in / out automatically.
Comment 3 Christopher Guindon CLA 2019-02-19 16:22:20 EST 
*** Bug 544100 has been marked as a duplicate of this bug. ***
Comment 4 Christopher Guindon CLA 2019-02-19 16:22:36 EST 
(In reply to Christopher Guindon from comment #2)
> This problems is coming to our drupal too with the implementation of openid
> connect.
> 
> I am currently planing to do the following for our drupal sites:
> 
> After the user's login on the server or logout on any of the network sites,
> the current site starts a redirect chain that visits the SSO script of each
> site in the network.
> 
> The SSO script then sets a cookie notifying the parent site of the pending
> login / logout.
> 
> When the user visits the actual site, the cookie is read, and the user
> logged in / out automatically.

I decided not to implement redirect chain for security reasons.

+1 For implementing Denis solution to delete sessions via SQL.
Comment 5 Frederic Gurr CLA 2021-12-23 06:32:21 EST 
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/185.