View Issue Details

IDProjectCategoryView StatusLast Update
0004468SOGoGUIpublic2019-02-01 15:37
Reportervbonamy Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSCentOS LinuxOS Version7.4
Product Version3.2.10 
Fixed in Version4.0.6 
Summary0004468: CAS Authentication - CAS Session expiration handling with SOGo V3 - CORS
Description

Troubles with SOGo handling of the CAS Session expiration.

Adding some configurations on CAS server to handle Cross-origin resource sharing (CORS) allows us to have a better behavior, but that's not perfect yet.

See below.

Steps To Reproduce

Use a SOGo v3 with a CAS Authentication.
You authenticate on SOGo Web UI (via CAS login).
You click on a mail, all is ok.
Now, log out of the cas directly via another tab of your browser : https://cas.my-univ.fr/logout
Wait or click on another mail in the SOGo Web UI.

-> an infinity loop of http ajax requests occurs (on CAS and SOGo) ... and the browser doesn't detect it !

In console of your browser you can see logs scrolling like this
"""
Failed to load https://cas.my-univ.fr/login?service=https%3A%2F%2Fsogo.my-univ.fr%2FSOGo%2Fso%2Findex: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://sogo.my-univ.fr' is therefore not allowed access.
"""
-> to handle CORS, we add on the HTTPD of the CAS Server, configurations like this :
SetEnvIf Origin "https://sogo.my-univ.fr" FROM_SOGO
Header add Access-Control-Allow-Origin "https://sogo.my-univ.fr" env=FROM_SOGO
Header add Access-Control-Allow-Headers "Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Headers,Access-Control-Request-Method,Connection,Host,Origin,User-Agent,Content-Type" env=FROM_SOGO

With this, it works better - no more infinity loop, and the cas login form is displayed to the user ... but after log in, regularly, you are not redirected to a sogo web html page but to a sogo web js page like https://sogo.my-univ.fr/SOGo/so/toto/Mail/0/folderINBOX/expunge . This page displays things like :
{"quotas": {"maxQuota": "10731520", "usedSpace": "3865663"}} in the browser of the user :-(

TagsNo tags attached.

Activities

vbonamy

vbonamy

2018-10-18 06:42

reporter   ~0013117

Same problem with SOGo v4 (I just tested with 4.0.3).

The workaround about handle cors on cas server does not work very well ... and can actually cause an infinite loop ont the cas server, so I remove httpd configurations about this on the cas server.

Because of this problem, we continue to use SOGo in version 2 here.

vbonamy

vbonamy

2018-10-22 13:26

reporter   ~0013122

To avoid infinite loop I added this JavaScript (thanks to SOGoUIAdditionalJSFiles) :

document.addEventListener("DOMContentLoaded", function() {

// Hack for https://sogo.nu/bugs/view.php?id=4468
var observer = new MutationObserver(function (mutations, me) {
// console.log(mutations);
try {
if(mutations[0].addedNodes[0].src.endsWith('/recover')) {
window.location = '/';
me.disconnect(); // stop observing
}
} catch(e) {}
});

// start observing
observer.observe(document.body, {
childList: true
});

});

wix

wix

2019-01-16 07:53

reporter   ~0013260

Last edited: 2019-01-16 07:55

Hello,

I have the same issue with SOGo 4.0.5

For me this problem is not only related to the logout of the CAS, but also randomly

I fix with this rule on my proxypass :
ProxyPassMatch "^/SOGo/so/(.)/recover" "!"
RedirectMatch "^/SOGo/so/(.
)/recover(.*)" "https://webmail.domain.fr/SOGo/"

But I think it's not a good solution

Thank you to check. This problem has existed since 2011 ( https://lists.inverse.ca/sogo/arc/users/2011-07/msg00058.html )

William

francis

francis

2019-01-22 14:52

administrator   ~0013270

If one of you can provide me a temporary account on their system, I could more easily reproduce and fix the problem. Thanks. Contact me in private.

wix

wix

2019-01-23 14:25

reporter   ~0013271

I have a ticket open on inverse.ca/mantis/
I will give via this tracker access as soon as it is ready (the test area is not related to production)

Thanks

francis

francis

2019-01-24 12:30

administrator   ~0013273

Please try the next nightly build and let me know if it fixes the problem. Make sure to empty your browser's cache.

vbonamy

vbonamy

2019-01-24 13:45

reporter   ~0013278

Thank you.

Our testing sogo v4 contains this modification (== https://github.com/inverse-inc/sogo/tree/master ) now.

I had to handle CORS on CAS Server :
SetEnvIf Origin "https://sogo-rwd.univ-rouen.fr" FROM_SOGO_RWD
Header add Access-Control-Allow-Origin "https://sogo-rwd.univ-rouen.fr" env=FROM_SOGO_RWD
Header add Access-Control-Allow-Headers "Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Headers,Access-Control-Request-Method,Connection,Host,Origin,User-Agent,Content-Type" env=FROMSOGO\
RWD

And with that, there is no infinite redirections loop after CAS logout : if you don't handle CORS on CAS with http headers, there is an infinite loop yet because that getting cas url from ajax call failed [js exception] and so I think $window.attempted is never set to true.

Problem is after reauthentication, the page that is displayed can be sometimes javascript page with quota as json (expunge url).

I send you video by mail.

Thank you.
Vincent.

wix

wix

2019-02-01 14:00

reporter   ~0013308

Salut Vincent,

Le dernier commit à corrigé le problème pour ma part (sogo-4.0.5.20190201)
De ce que m'a expliquer Francis via le support payant, c'est qu'il n'y a pas besoin de gérer les CORS, l'application s'en occupe dans le code.

William

Related Changesets

sogo: master 9596ac2a

2019-01-22 15:34

francis


Details Diff
(js) Improve CAS handling

Fixes 0004468
Affected Issues
0004468
mod - NEWS Diff File
mod - UI/WebServerResources/js/Common/Common.app.js Diff File

sogo: master 5cac6696

2019-01-22 18:27

francis


Details Diff
(js) Improve CAS handling

Fixes 0004468
Affected Issues
0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff File

sogo: master 3c60e2a7

2019-01-24 13:12

francis


Details Diff
(js) Improve CAS handling

Fixes 0004468
Affected Issues
0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff File

sogo: master c13c01ff

2019-01-30 15:55

francis


Details Diff
(js) Improve CAS handling

Fixes 0004468
Affected Issues
0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff File

sogo: master 368c13d6

2019-01-31 11:12

francis


Details Diff
(js) Improve CAS handling

Fixes 0004468
Affected Issues
0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff File

Issue History

Date Modified Username Field Change
2018-05-16 15:13 vbonamy New Issue
2018-10-18 06:42 vbonamy Note Added: 0013117
2018-10-22 13:26 vbonamy Note Added: 0013122
2019-01-16 07:53 wix Note Added: 0013260
2019-01-16 07:55 wix Note Edited: 0013260
2019-01-22 14:52 francis Note Added: 0013270
2019-01-23 14:25 wix Note Added: 0013271
2019-01-24 12:26 francis Changeset attached => sogo master 9596ac2a
2019-01-24 12:26 francis Assigned To => francis
2019-01-24 12:26 francis Resolution open => fixed
2019-01-24 12:30 francis Note Added: 0013273
2019-01-24 13:45 vbonamy Note Added: 0013278
2019-01-24 16:24 francis Changeset attached => sogo master 5cac6696
2019-01-24 18:12 francis Changeset attached => sogo master 3c60e2a7
2019-01-30 20:56 francis Changeset attached => sogo master c13c01ff
2019-01-31 16:12 francis Changeset attached => sogo master 368c13d6
2019-02-01 14:00 wix Note Added: 0013308
2019-02-01 15:37 francis Status new => resolved
2019-02-01 15:37 francis Fixed in Version => 4.0.6