From 319c63a7f25b6fd6edeaac6e8b7eabb7e76f1c76 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 17 Oct 2022 19:29:05 +0200
Subject: [PATCH] Add settings to allow deletings Django cookies upon logout.
 Fix #80

---
 CHANGELOG.rst                  |  1 +
 README.rst                     | 11 +++++++++++
 cas_server/default_settings.py |  7 +++++++
 cas_server/views.py            | 26 ++++++++++++++++++--------
 4 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index d259dbb..ad102b6 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -12,6 +12,7 @@ Unreleased
 Added
 -----
 * Support for Django 4.0 and 4.1
+* Add settings to allow deletings Django cookies upon logout
 
 Fixes
 -----
diff --git a/README.rst b/README.rst
index 1b41d88..55a75e0 100644
--- a/README.rst
+++ b/README.rst
@@ -285,6 +285,17 @@ Authentication settings
   
 * ``CAS_SLO_TIMEOUT``: Timeout for a single SLO request in seconds. The default is ``5``.
 
+* ``CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT``: If `True` Django session cookie will be removed
+  on logout from CAS server (default `False`). Note that Django session middleware will generate
+  a new session cookie.
+
+* ``CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT``: If `True` Django csrf cookie will be removed on
+  logout from CAS server (default `False`). Note that Django csrf middleware will generate a new
+  csrf token cookie.
+
+* ``CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT``: If `True` Django language cookie will be
+  removed on logout from CAS server (default `False`).
+
 
 Federation settings
 -------------------
diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py
index cbdb7f8..408e146 100644
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -239,6 +239,13 @@ CAS_INFO_MESSAGES = {
 #: Let the list empty to disable messages display.
 CAS_INFO_MESSAGES_ORDER = []
 
+#: :class:`bool` If `True` Django session cookie will be removed on logout from CAS server
+CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT = False
+#: :class:`bool` If `True` Django csrf cookie will be removed on logout from CAS server
+CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT = False
+#: :class:`bool` If `True` Django language cookie will be removed on logout from CAS server
+CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT = False
+
 
 GLOBALS = globals().copy()
 for name, default_value in GLOBALS.items():
diff --git a/cas_server/views.py b/cas_server/views.py
index bbf5490..d26309e 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -153,6 +153,16 @@ class LogoutView(View, LogoutMixin):
         self.url = request.GET.get('url')
         self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META
 
+    @staticmethod
+    def delete_cookies(response):
+        if settings.CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT:
+            response.delete_cookie(settings.SESSION_COOKIE_NAME)
+        if settings.CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT:
+            response.delete_cookie(settings.CSRF_COOKIE_NAME)
+        if settings.CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT:
+            response.delete_cookie(settings.LANGUAGE_COOKIE_NAME)
+        return response
+
     def get(self, request, *args, **kwargs):
         """
             method called on GET request on this view
@@ -181,15 +191,15 @@ class LogoutView(View, LogoutMixin):
                 response = HttpResponseRedirect(utils.update_url(url, params))
                 if request.GET.get("forget_provider"):
                     response.delete_cookie("remember_provider")
-                return response
+                return self.delete_cookies(response)
         # if service is set, redirect to service after logout
         if self.service:
             list(messages.get_messages(request))  # clean messages before leaving the django app
-            return HttpResponseRedirect(self.service)
+            return self.delete_cookies(HttpResponseRedirect(self.service))
         # if service is not set but url is set, redirect to url after logout
         elif self.url:
             list(messages.get_messages(request))  # clean messages before leaving the django app
-            return HttpResponseRedirect(self.url)
+            return self.delete_cookies(HttpResponseRedirect(self.url))
         else:
             # build logout message depending of the number of sessions the user logs out
             if session_nb == 1:
@@ -224,19 +234,19 @@ class LogoutView(View, LogoutMixin):
                         'url': url,
                         'session_nb': session_nb
                     }
-                    return json_response(request, data)
+                    return self.delete_cookies(json_response(request, data))
                 else:
-                    return redirect("cas_server:login")
+                    return self.delete_cookies(redirect("cas_server:login"))
             else:
                 if self.ajax:
                     data = {'status': 'success', 'detail': 'logout', 'session_nb': session_nb}
-                    return json_response(request, data)
+                    return self.delete_cookies(json_response(request, data))
                 else:
-                    return render(
+                    return self.delete_cookies(render(
                         request,
                         settings.CAS_LOGOUT_TEMPLATE,
                         utils.context({'logout_msg': logout_msg})
-                    )
+                    ))
 
 
 class FederateAuth(CsrfExemptView):