From 4a781b21db10f82e35b9945109b5f4d41ad0e8c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ale=C5=A1=20Smodi=C5=A1?= Date: Thu, 15 Oct 2015 18:46:54 +0200 Subject: Server-side support for SAML logout, sessions are destroyed only using an AJAX call. --- server/handlers.py | 13 +++++++++++-- server/user_session.py | 15 +++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) (limited to 'server') diff --git a/server/handlers.py b/server/handlers.py index 5df7161..42f53b4 100644 --- a/server/handlers.py +++ b/server/handlers.py @@ -27,6 +27,12 @@ class CreateSession(CodeqService): request.reply({'code': 0, 'message': 'OK', 'sid': server.user_session.UserSession().get_sid()}) +class DestroySession(CodeqService): + def process(self, request): + request.session.destroy() + request.reply({'code': 0, 'message': 'OK'}) + + class Login(CodeqService): """Logs in a client, authenticating the session. """ @@ -48,9 +54,10 @@ class Login(CodeqService): settings = session.get_settings() request.reply({'code': 0, 'message': 'OK', 'name': name, 'email' : email, 'joined' : date_joined.isoformat(), 'last-login' : last_login.isoformat(), 'settings': settings}) + class Logout(CodeqService): def process(self, request): - request.session.destroy() + request.session.logout() request.reply({'code': 0, 'message': 'OK'}) @@ -302,6 +309,7 @@ class SamlLogin(CodeqService): # maps actions to their handlers incoming_handlers = { 'create_session': CreateSession(), + 'destroy_session': DestroySession(), 'login': Login(), 'signup': Signup(), 'change_password': ChangePassword(), @@ -318,7 +326,8 @@ incoming_handlers = { 'load_problem': LoadProblem(), 'end_problem': EndProblem(), 'user_stat': GetUserStat(), - 'saml_login': SamlLogin() + 'saml_login': SamlLogin(), + 'saml_logout': Logout() } diff --git a/server/user_session.py b/server/user_session.py index 739da9a..dbf886c 100644 --- a/server/user_session.py +++ b/server/user_session.py @@ -154,6 +154,21 @@ class UserSession(object): pass db.return_connection(conn) + def logout(self): + """Logs out the session, rendering it anonymous.""" + with self._access_lock: + lang_session = self._lang_session + self._lang_session = None + uid = self.uid + sid = self.sid + username = self.username + self.uid = None + self.username = None + self.settings = {} + if lang_session is not None: # do not handle the language session holding the lock: we may deadlock if the callee calls the caller + lang_session.destroy() + logging.debug('User session logged out: username={0}, uid={1}, sid={2}'.format(username, uid, sid)) + def destroy(self): """Destroys the session.""" with module_access_lock: -- cgit v1.2.1