LMS (Totara) creates Session Cookie but fails to remove

[dustinbrisebois]

This issue has been observed in Totara

In cases such as where set_moodle_cookie($USER->username); is called (see line below)

https://github.com/catalyst/moodle-auth_saml2/blob/c35ea2c28b7fa7039da07bab45c63094e0fe1c26/auth.php#L533

However, the unset is not called here:

https://github.com/catalyst/moodle-auth_saml2/blob/master/auth.php#L643

This creates an issue with users logging out - the LMS prepopulates the username fields due to the session handling.

This is fixed by adding:

set_moodle_cookie('');

below https://github.com/catalyst/moodle-auth_saml2/blob/master/auth.php#L643

This would purge the LMS session cookie.

[tj-kev]

Was a more permanent solution found for this? We are experiencing the same issue but are reluctant to manually edit the file as this would have to be maintained for future upgrades etc.

Not mentioned in the above comment but its also causing users not to be able to sign in again until the cookies are manually cleared in the browser.

Otherwise get an infinite loop of redirects between the SP and IDP of requests and responses. As mentioned the only way to get past this is to clear the cookies for the domain torara is hosted on.