	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cookie Deletion in PHP5 on IIS6

To: Christopher Lafty <chl114@xxxxxxx>
Subject: Re: Cookie Deletion in PHP5 on IIS6
From: kevin mcgowan <clunis@xxxxxxxxx>
Date: Wed, 27 Jul 2005 17:41:17 -0400
Cc: cosign-discuss@xxxxxxxxx
In-reply-to: <42E7E533.203@psu.edu>
References: <42E7E533.203@psu.edu>

There are two things going on. The first is that PHP will reject setcookie calls that do not specify the same scope as the cookie being overwritten; in this case, path, expiration, name, value, and secure flag are all set. The second issue is that changes to the user's cookies will not be visible to php until the next reload. The following PHP should work for mod_cosign:

<?php
    $service = $_SERVER[ 'COSIGN_SERVICE' ];
    setcookie( $service, "null", time()-1, '/', "", 1 );

echo( " cosign-cookie: " . $service . " = " . $_COOKIE [ $service ]); ?>

and IIS should be able to use:

<?php
    $service = $_SERVER[ 'HTTP_COSIGN_SERVICE' ];
    setcookie( $service, "null", time()-1, '/', "", 1 );

echo( " cosign-cookie: " . $service . " = " . $_COOKIE [ $service ]); ?>

Of course, all this script will do is change the service cookie payload echoed after each page reload. You also need to print a redirect to the central weblogin server. Here at Michigan that might be:

<?php $central_logout = "https://weblogin.umich.edu/cgi-bin/logout";; setcookie( $_SERVER[ 'COSIGN_SERVICE' ], "null", time()-1, '/', "", 1 );

echo( " cosign-cookie: " . $service . " = " . $_COOKIE [ $service ]); /* it's important that there be no output on this page, at least before this line */ header( "Location: $central_logout" ); exit; ?>

I have not tested this on IIS myself, but would be happy to help debug if anything comes up. I hope this is helpful,

k

On Jul 27, 2005, at 3:49 PM, Christopher Lafty wrote:

Anybody had luck destroying the cosign service cookie with PHP5? I've been trying all day long and I can't seem to remove it with a logout page.

Using phpinfo(), I see the cookie as _COOKIE["cosign- xxx_xxx_xxx_xxx"], but with the web developer toolbar in firefox, the cookie shows up as cosign-xxx.xxx.xxx.xxx. I am trying to delete both, but still can't.
<?php
//get service name, contains "."
$service = $_SERVER['HTTP_COSIGN_SERVICE'];
//delete the cookie with "."
setcookie ($service, FALSE, time()-1000);
//put in "_" instead of "."
$service1 = str_replace(".", "_", $service);
setcookie ($service1, FALSE, time()-1000);
//output to see if successful
echo "cosign-cookie:" . $_COOKIE[$service];
echo "cosign-cookie:" . $_COOKIE[$service1];
?>
browser output:
cosign-cookie:
cosign-cookie: XXXXXXXXXXXXXXXXXXXXXXXXXXX ("_" contains the cookie?)
web developer cookie information:
Namecosign-www.bio.psu.edu
ValueXXXXXXXXXXXXXXXXXXXXXXXXXXX
Hostxxx.xxx.xxx.xxx
Path/
SecureNo
ExpiresAt End Of Session
Am I missing something?

Thanks in advance, Chris -- ..................................... :: Christopher Lafty :: Computer Support/Web Site Administrator :: Department of Biology :: Pennsylvania State University :: 109 Mueller Lab :: University Park, PA 16802 :: Phone: 814-865-6590 :: chrislafty@xxxxxxx ..................................... !DSPAM: 42e7e57d310441124611809!

References:
- Cookie Deletion in PHP5 on IIS6
  - From: Christopher Lafty

Prev by Date: Cookie Deletion in PHP5 on IIS6
Next by Date: cosign and LDAP authentication?
Previous by thread: Cookie Deletion in PHP5 on IIS6
Next by thread: cosign and LDAP authentication?
Index(es):
- Date
- Thread