More secure logout redirection

erik · May 14, 2015, 2:37am

I want the user’s session in my SSO provider to be killed when a user clicks ‘Log Out’, but the current logout redirection feature doesn’t quite fit the bill because I have no way of knowing if the ensuing GET to the logout page was intentional or the result of a low-effort CSRF. (I do consider drive-by logouts from my provider to be a security problem.)

From the perspective of the SSO provider (on the server), I want to authenticate that the user has deliberately ended their Discourse session.

There are two approaches that come to mind:

Add a SSO Secret-signed bearer proof to the URL the user is redirected to.
Allow the SSO provider to query Discourse for the liveness of the user’s session.

My instinct is that the first approach is complicated to get right.

The second might be really easy, depending on how Discourse stores sessions. (I haven’t looked.) Ideally, I could just hit an (authenticated) admin API endpoint with the nonce from the login and find out of the session created from that nonce is alive.

Peter_Backgren · November 15, 2015, 2:04pm

The first approach is the one that “feels” right though.

Like, if you get the “user id” you provided during first signup back using the SSO Secret you don’t need much more.

sam · November 15, 2015, 7:19pm

we would need to use an OTP + user id encrypted using sso key to get this done that way

I am not against it but lots of work

An “is logged in” is much easier to solve especially if “log out strict” is on

Peter_Backgren · November 19, 2015, 1:55pm

Or you could let the sso provider take the responsibility?

When logging in you also get a ,logouturl=http://mysso/logout.aspx?mypayload=xyz in the sso package.

It’s then up to the provider to decide how he want’s it implemented.

If non-secure a userid in his return url could suffice for him
logouturl=http://mysso/logout.aspx?uid=46732

If encrypted wityh the same secret it could be
logouturl=http://mysso/logout.aspx?sso=xxxxxxx

and up to him if there is a userid or perhaps even login datetime information. But he has already encrypted the sso part when giving it to you so he could even use another secret if he wants. You just return using what was given. I don’t even think there would be a reason to add some expiry datetime info in your direction, just return the stuff if you can catch the logout.

sam · November 19, 2015, 10:33pm

The point here is avoiding replay attacks somehow… just encrypting will allow “hackers” to replay a logout.

Peter_Backgren · November 23, 2015, 11:16am

Replaying a logout is more of a nuisance than anything else. Letting the sso provider take the responsibility also meant possible security measures would be taken at that end, at their option.
But ok, why give any possibilities.

Topic		Replies	Views
How to sync logout with SSO or Browser session? support	3	1636	September 8, 2020
Is there a way to set session expiration after a set length of time? feature	23	7426	April 5, 2017
How to fully logout user session plus clear oauth data sso oauth2	0	763	April 20, 2023
Issues using SSO in custom web app dev	10	1306	January 9, 2018
Discourse SSO using auth0 via URL sso	5	3368	November 12, 2018

More secure logout redirection

Related Topics