Feature Request: Provide a cookie for indicating logged in or not

[iamCristYe]

Is your feature request related to a problem? Please describe.
Our organization used to use the existence of session.authtoken.cookiename to determine if a user is logged in/has a valid SSO session. But in the recent version (i.e. 1.19.1), the session.authtoken.cookiename is not cleared after logging out. Thus, I'm looking for new a variable like session.loggedinindicator.cookiename

Describe the solution you'd like
Currently, I've implemented a working solution by introducing the following code:

diff --git a/lib/SimpleSAML/Auth/Source.php b/lib/SimpleSAML/Auth/Source.php

--- a/lib/SimpleSAML/Auth/Source.php
+++ b/lib/SimpleSAML/Auth/Source.php
@@ -157,7 +157,7 @@ abstract class Source
 
         $func = $state['LoginCompletedHandler'];
         assert(is_callable($func));
-
+        setcookie("COOKIENAME", 'refer_to_README_for_this_cookie', 0, '/', 'domainname', true);
         call_user_func($func, $state);
         assert(false);
     }




diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php

--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -21,7 +21,7 @@ if (!$config->getBoolean('enable.saml20-idp', false) || !\SimpleSAML\Module::isM
 
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
 $idp = \SimpleSAML\IdP::getById('saml2:' . $idpEntityId);
-
+setcookie("COOKIENAME", '', time() - 36000,  '/', 'domainname', true);
 if (isset($_REQUEST['ReturnTo'])) {
     $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo']));
 } else {
     

Describe alternatives you've considered
N/A

Additional context
N/A

[tvdijen]

What version were you running before? I'm curious to find out what happened and why it stopped working

[iamCristYe]

Thanks for your quick reply. We used to use 1.13.1 (yes, too old, I know). We have several applications like a.example.com, b.example.com etc. In the past, we use the existence of session.authtoken.cookiename shared on example.com to determine if we do SSO for the user. And previously, when logging out of a.example.com/b.example.com, our web application would clear the cookie session.authtoken.cookiename, and it was fine, the SLO process continues without error. But with 1.19.1, as our application clears session.authtoken.cookiename, simplesamlphp would throw a no state error. So I have manually modified the code (shown above) to add this logged in indicator cookie.

[tvdijen]

Well yeah, your application shouldn't be touching SSP's cookies.. If you remove it in your application, it's not strange that SSP can't find it anymore (hence the NO STATE error). Try leaving cookie management to SSP instead and you should be fine.

[iamCristYe]

Ooops didn't realize that I'm using the wrong account... Could you please delete that comment?

I was laughing that you're right, we shouldn't touch another system's stuff. Every time one uses things for purposes other than its intention, probably things will go wrong, like those undocumented API.

By the way, what do you think of my implementation? I can submit a PR.

[tvdijen]

I think you should just continue reading the session.authtoken.cookiename to see if someone is authenticated or not.. Just not delete it by yourself.. If that doesn't work because something is changed since v1.13.1, then we need to fix that.. I don't see the added value of adding another cookie.

[iamCristYe]

I'm not sure how can I know if a user is authenticated or not from reading the cookie. For example, when I'm logged in I can see that the value of the cookie is _5a809ad225c3aa618a2ec6c7c7604d848183cf0bc0, then when I log out, the cookie is still _5a809ad225c3aa618a2ec6c7c7604d848183cf0bc0...

[tvdijen]

Maybe I'm just not following your use-case.. If you log out, you would also kill your application's session, right? So as soon as you hit the application again, it would force you to (re-)authenticate at the IDP to get a new SAML token and start a new application session.. If you keep your SP's session duration <= to the IDPs session duration, you can never end up being logged in to an application without having a valid SSO session at the IDP. Or am I missing the point here?

[iamCristYe]

The point is our applications may not require users to log in. Think of youtube.com, You can watch videos without logging in, but if you logged in at google.com, YouTube would do sso for you depending on some shared cookies. Can you understand what I mean? I need a way to tell if a user has logged in... If the cookie is still there even after logging out, the server won't know if we need to sso for the user.

[tvdijen]

I think that's what the cdc-module (= Common Domain Cookie) can do for you, but I must say I have no experience with this.

[iamCristYe]

hmm, I wonder if there are some docs for this module... glanced at it and got no idea what it does.

[tvdijen]

Unfortunately nobody knows exactly ... However, the concept of the "Common Domain Cookie" may be useful for your specific use case.
https://help.sap.com/saphelp_nw73/helpdata/en/6f/704141f79c488d85b130e006c09431/content.htm?no_cache=true
https://docs.oracle.com/cd/E19575-01/820-3740/gglpj/index.html