When the forceredirect setting is enabled, the expected redirect to the MS login page does not occur when a dead session was detected by an AJAX call.
Pre-requisites
- Admin setting
core/forcelogin set to true
- Admin setting
auth_oidc/forceredirect set to true
- Admin setting
auth_oidc/silentloginmode set to true
Replication steps
- Login
- Open your browser inspector and delete your session cookie
- Open the notifications to trigger an AJAX request
Expected
- The user is redirected to the MS login page
Actual
- The user is redirected to the logout page
This is happening because auth_oidc refuses to redirect when the HTTP referer is the current site, making the wrong assumption that the user came from the logout page. See comment in snippet below.
// If the user is redirectred to the login page immediately after logging out, don't redirect.
$silentloginmodesetting = get_config('auth_oidc', 'silentloginmode');
$forceredirectsetting = get_config('auth_oidc', 'forceredirect');
$forceloginsetting = get_config('core', 'forcelogin');
if (
$silentloginmodesetting && $forceredirectsetting && $forceloginsetting && isset($_SERVER['HTTP_REFERER']) &&
strpos($_SERVER['HTTP_REFERER'], $CFG->wwwroot) !== false
) {
return false;
}Moodle AJAX redirect
// lib/src/ajax.js
if (exception !== null) {
// Redirect to the login page.
if (exception.errorcode === "servicerequireslogin" && !nosessionupdate) {
window.location = URL.relativeUrl("/login/index.php");
} else {
// ...
}
}
When the
forceredirectsetting is enabled, the expected redirect to the MS login page does not occur when a dead session was detected by an AJAX call.Pre-requisites
core/forceloginset totrueauth_oidc/forceredirectset totrueauth_oidc/silentloginmodeset totrueReplication steps
Expected
Actual
This is happening because auth_oidc refuses to redirect when the HTTP referer is the current site, making the wrong assumption that the user came from the logout page. See comment in snippet below.
Moodle AJAX redirect