Project

General

Profile

reset_session

Added by Nils Caspar about 11 years ago

I'm currently implementing our CAS-based Single Sign-On in our Redmine installation using brandonaaron/redmine_rubycas.
CAS knows something called Single Logout (or Single Sign-Out): When you log out of the SSO, all sessions on all client applications are destroyed as well.
For this to work, the session must be stored in a database (it's all documented in the offical RubyCAS client documentation). This can be achieved using my redmine_activerecord_session_store plugin.

But... Redmine resets the session after the successful login. RubyCAS client later fails to find the original session for the logout request, as the session_id changed. The problem is this line here: http://www.redmine.org/projects/redmine/repository/entry/trunk/app/controllers/application_controller.rb#L148
Now I wonder: Why is this even done? Is there a need to call `reset_session` after a successful login? Could it be changed?