This blog post is part of a series of planned articles regarding OpenSSO and PHP, specifically how to use the OpenSSO Identity Services from within a PHP application. As you'll see in these examples, you can use the OpenSSO REST-based Identity Services from any programming language; I just chose PHP because it was what I needed for my application, but you can easily use Ruby, Python, Java, or another programming language.
In this post I'm going to tackle the topic of "how to use PHP to manually log a user out of an OpenSSO single sign-on session." In other posts I will show how to use PHP to create a custom login script (i.e., login.php
) to log in (authenticate) to an OpenSSO server, and how to get information about the current user, in each case using the OpenSSO REST Identity Services.
How to manually logout from an OpenSSO server
Here's a very simple PHP script that demonstrates how to log a user out of an OpenSSO server. In short, you want to call the OpenSSO "logout" identity service, which in my case resides at this URL:
http://opensso.example.com:8080/opensso/identity/logout
To perform the actual logout, all you have to do is build up your request and send it to this URL. I read on the OpenSSO user forums that it can also be a good idea to delete the OpenSSO cookie (named "iPlanetDirectoryPro" by default), so as you'll see in the code below I do this also.
With that brief introduction, here is my logout.php
source code:
<?php require 'HTTP/Request.php'; $OPENSSO_URL = 'http://opensso.example.com:8080/opensso/identity/logout'; # we should already have a cookie, so just call the logout url error_log('logout.php was called'); $req = new HTTP_Request($OPENSSO_URL); $req->setMethod(HTTP_REQUEST_METHOD_POST); $req->addHeader('Content-Type','application/x-www-form-urlencoded'); $req->addHeader('Cookie',"iPlanetDirectoryPro=$_COOKIE[iPlanetDirectoryPro]"); $req->sendRequest(); $res = $req->getResponseBody(); error_log("(logout.php) Performed logout"); error_log("(logout.php) Response: $res"); # delete the cookie by setting it to expire in the past. # not 100% necessary, but may get around some caching issues. setcookie('iPlanetDirectoryPro', '', time()-86400); ?> <p><a href="main.php">Go back to main, if you can. :) </a></p>
Discussion of the PHP source code
Looking through that source code, here are a few other things I should mention:
- If you don't already have the
HTTP_Request
module, you'll need to download and install it. You can use PEAR to do this very easily. (I show how to use EAR here.) - I write some output to the Apache error log using the
error_log
method. I was going to delete these lines, but they may help for your own debugging purposes, so I've left them in the source code. - For the purposes of this sample code, my OpenSSO server is available at this URL: http://opensso.example.com:8080/opensso, which leads to the
logout
identity service being available at http://opensso.example.com:8080/opensso/identity/logout. - I've hard-coded the name of the cookie (
iPlanetDirectoryPro
), which is not recommended. However, for my test installation I have no need to change the name of this cookie/token, so I just left it at the default. - When you click the link to
main.php
you should find that you have been logged out from OpenSSO, and as you'll see when you look at themain.php
code, that script will manually redirect you to our custom OpenSSO login page.