Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner - Creator III
Partner - Creator III

Single Logout, using Log Out button from the Hub

The Authentication API ‒ Qlik Sense for developers article is saying:

In some cases, it might make sense for the authentication module to act as a logout module as well.

How do you catch a Sense initiated logout?  
That is, when the user is pressing the Log Out button in the Hub. (The one hidden under your username.)

 

Single-logout has been solved with SAML authentication. But how do you catch this when using a custom authentication module (using the ticket API)?

 

Technically, this is a security problem. Since the user thinks she is logged out. But She still has a live session with the SingleSignIn module, which will just log you in once more.

 

Labels (4)
5 Replies
Anonymous
Not applicable

Interesting question, I would like to know if there is a way to do it.

Damien_Villaret
Support
Support

Hi @vegard_bakke 

You're correct, there is no way to do that out of the box.

The only way I can think of would be to use a reverse proxy and catch when the user uses the logout button with a rewrite rule to redirect to a custom page in the authentication module used to log out from the module.

If the issue is solved please mark the answer with Accept as Solution.
vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Ouch.  I know what my IdP will say about this. They've already complained about Qlik not clearing the client side cookies when logging out. (Even though the session value is terminated server side.)

 

Should we log this as a security issue?

 

Long term solution
It should be hard to fix. One could add a Authentication module logout URI under Ticket method under virtual proxy in QMC.  

This is what happens with SAML logins, after all. 


Short term solution
In the mean time, I guess having the reverse proxy hijack GET https://<server>/<v.proxy>/qps/logout might do the trick. 

 

Let the authentication module clear the session cookie. (Possibly after first running DELETE  https://<server>/<v.proxy>/qps/user, with the user's session cookie, although the browser should have already done this.) And finally let the request return a redirect to a nice landing/login page. (Since the standard Qlik logout page is now hijacked.)

Kalkumar
Partner - Contributor III
Partner - Contributor III

Hi @vegard_bakke ,

If my understanding is correct you have already developed a custom extension to logout the users from the QlikApp. However, you still have the session active. 

Can you please help how your Html and JS code look like. 

I have been trying to achieve this but, not luck yet. Also, posted my query https://community.qlik.com/t5/Integration-Extension-APIs/Extension-to-logout-a-user-from-Qliksense/m...

Thanks

vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Sort of. I have developed an extension (i.e. a button) that lets you log in and out in an iframe environment.

 

But that was done for a client, so the source code is theirs, and not mine to give, sorry.

 

However, your are on the right track (in your other post). I'll follow you up there. 😊

 

Vegard