Qlik Community

Ask a Question

Integration, Extension & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
QlikWorld Online 2021, May 10-12: Our Free, Virtual, Global Event REGISTER TODAY
cancel
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner
Partner

Single Logout, using Log Out button from the Hub

The Authentication API ‒ Qlik Sense for developers article is saying:

In some cases, it might make sense for the authentication module to act as a logout module as well.

How do you catch a Sense initiated logout?  
That is, when the user is pressing the Log Out button in the Hub. (The one hidden under your username.)

 

Single-logout has been solved with SAML authentication. But how do you catch this when using a custom authentication module (using the ticket API)?

 

Technically, this is a security problem. Since the user thinks she is logged out. But She still has a live session with the SingleSignIn module, which will just log you in once more.

 

Labels (4)
3 Replies
rzenere_methodedupe

Interesting question, I would like to know if there is a way to do it.

Damien_Villaret
Support
Support

Hi @vegard_bakke 

You're correct, there is no way to do that out of the box.

The only way I can think of would be to use a reverse proxy and catch when the user uses the logout button with a rewrite rule to redirect to a custom page in the authentication module used to log out from the module.

vegard_bakke
Partner
Partner
Author

Ouch.  I know what my IdP will say about this. They've already complained about Qlik not clearing the client side cookies when logging out. (Even though the session value is terminated server side.)

 

Should we log this as a security issue?

 

Long term solution
It should be hard to fix. One could add a Authentication module logout URI under Ticket method under virtual proxy in QMC.  

This is what happens with SAML logins, after all. 


Short term solution
In the mean time, I guess having the reverse proxy hijack GET https://<server>/<v.proxy>/qps/logout might do the trick. 

 

Let the authentication module clear the session cookie. (Possibly after first running DELETE  https://<server>/<v.proxy>/qps/user, with the user's session cookie, although the browser should have already done this.) And finally let the request return a redirect to a nice landing/login page. (Since the standard Qlik logout page is now hijacked.)