Log out of Shibboleth without closing browser

[pkoenig10]

No description provided.

[sclark]

@pkoenig10 was this resolved by another commit or are you talking about how after logging out, when logging in again you are logged back in automatically?

[ChaseBro]

I think he means that if you log out of shibboleth but not out of Binder you stayed logged into Binder even though you shouldn't. Although not 100% sure

[pkoenig10]

Currently when you select "log out" in Binder you are logged out of Binder but not out of Shibboleth. So a new user could go to Binder, revisit the page, and the new user would be automatically logged in as the previous user because the previous user is still logged in to Shibboleth.

This fixes the problem where coordinates are logged in as the previous coordinate, which makes our logging around tool checkouts, etc. useless. The current workaround is to restart the browser. But that's not really convenient when coordinators are changing shift (and people understandably won't remember to do something that silly).

[pkoenig10]

I started working on this in the fix_logout branch. I recall that in the current state it partially works; it worked sometimes but was a flaky. I think that was mostly due to my lack of understanding about Rails routing and Shibboleth.

Some helpful links:
Shibboleth logout docs: https://docs.shib.ncsu.edu/docs/logout.html
SImilar workflow (ignore the Apache part): http://duke-libraries.github.io/2015/02/11/authentication-with-devise-omniauth-and-shibboleth.html

It looks like after_sign_out_path_for in Devise is something that is useful.

[sclark]

@pkoenig10 I will take a look and prioritize this over #82