Forum OpenACS Improvement Proposals (TIPs): TIP#124 Stack of procs executed next page request (rejected)

Just like util_user_message I propose a feature to run stored jobs next time the user makes a page request. This is a very powerful feature and useful for many scenarios. The one here at hand is to support single sign out for the central authentication service (CAS) with version 3.x. Here the cas server request oacs to logout the user because the user requested a logout in a third system. Since oacs is a cookie based system there is no way for oacs to invalidated the users session on the server side. We have to wait until the user makes the next page request. In this case ad_user_logout could be executed.

To support this and based on util_user_messages I have defined 2 new procs in acs-tcl and added a one liner (the second proc) to the master template.

ad_proc -public util_user_stack {
    {-job ""}
    {-session_id ""}
} {
    Stores a job being executed on the next page request.

    @param job The job to be executed
    @param session_id The session for which the job should be executed. Without a session_id nothing will be done.

    @see util_process_user_stack
} {
    if { $session_id eq "" } {
        ns_log Warning "No session_id passed. Doing nothing"
        return
    }
    if { $job ne "" } {
        set jobs [ad_get_client_property -session_id $session_id -default {} -cache_only t "acs-kernel" "user_stack"]
        lappend jobs $job
        ad_set_client_property -session_id $session_id "acs-kernel" "user_stack" $jobs
    }
}

ad_proc -public util_process_user_stack {
    {-keep:boolean}
} {
    Executes all jobs for the current user

    @see util_user_stack
} {
    set jobs [ad_get_client_property -default {} -cache_only t "acs-kernel" "user_stack"]
    if { !$keep_p } {
        ad_set_client_property "acs-kernel" "user_stack" {}
    }
    foreach job $jobs {
        ns_log Notice "Running '$job' for user"
        if {[catch $job error]} {
            ns_log Warning "Job failed returning. $error"
        }
    }
}

Nima,

Have you fully analyzed the cookie validation process to be sure there is no way to make it work with the already existing code? It seems that the code that resets the users auth token was created specifically for this purpose and it would be better to fix the existing code than to add this. One question on logging out users is whether they can be logged in to two computers and what happens if they log out on one of them.

This probably also would affect your use case since this would effectively log the out from whatever computer they next used, if they changed to another computer it might still be logged in.

It seems simpler and less error prone to invalidate the cookies so the next time they login cookie is checked, its invalid. All this requires is a token used to encode the cookie contents along with the time.

This is already EXACTLY how the code works:

if {$auth_token eq [sec_get_user_auth_token $untrusted_user_id]} {

it compares the auth token provided with the cookie with the users current valid auth token. Invalidating the auth token will invalidate the cookies.

heh, here's the link: https://openacs.org/forums/message-view?message%5fid=1691183

Please note, that this tip is not about my concrete situation. Therefore I would like know if you find such a proc useful enough to make it part of the distribution.

Regarding you comments I will answer them here: https://openacs.org/forums/message-view?message_id=1691183