View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004468SOGoGUIpublic2018-05-16 11:132019-01-16 02:55
Assigned To 
Platform[Server] LinuxOSCentOS LinuxOS Version7.4
Product Version3.2.10 
Target VersionFixed in Version 
Summary0004468: CAS Authentication - CAS Session expiration handling with SOGo V3 - CORS
DescriptionTroubles with SOGo handling of the CAS Session expiration.

Adding some configurations on CAS server to handle Cross-origin resource sharing (CORS) allows us to have a better behavior, but that's not perfect yet.

See below.
Steps To ReproduceUse a SOGo v3 with a CAS Authentication.
You authenticate on SOGo Web UI (via CAS login).
You click on a mail, all is ok.
Now, log out of the cas directly via another tab of your browser : [^]
Wait or click on another mail in the SOGo Web UI.

-> an infinity loop of http ajax requests occurs (on CAS and SOGo) ... and the browser doesn't detect it !

In console of your browser you can see logs scrolling like this
Failed to load [^] No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' [^] is therefore not allowed access.
-> to handle CORS, we add on the HTTPD of the CAS Server, configurations like this :
SetEnvIf Origin "" [^] FROM_SOGO
Header add Access-Control-Allow-Origin "" [^] env=FROM_SOGO
Header add Access-Control-Allow-Headers "Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Headers,Access-Control-Request-Method,Connection,Host,Origin,User-Agent,Content-Type" env=FROM_SOGO

With this, it works better - no more infinity loop, and the cas login form is displayed to the user ... but after log in, regularly, you are not redirected to a sogo web html page but to a sogo web js page like [^] . This page displays things like :
{"quotas": {"maxQuota": "10731520", "usedSpace": "3865663"}} in the browser of the user :-(
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
vbonamy (reporter)
2018-10-18 02:42

Same problem with SOGo v4 (I just tested with 4.0.3).

The workaround about handle cors on cas server does not work very well ... and can actually cause an infinite loop ont the cas server, so I remove httpd configurations about this on the cas server.

Because of this problem, we continue to use SOGo in version 2 here.
vbonamy (reporter)
2018-10-22 09:26

To avoid infinite loop I added this JavaScript (thanks to SOGoUIAdditionalJSFiles) :

document.addEventListener("DOMContentLoaded", function() {

// Hack for [^]
var observer = new MutationObserver(function (mutations, me) {
    // console.log(mutations);
    try {
    if(mutations[0].addedNodes[0].src.endsWith('/recover')) {
        window.location = '/';
        me.disconnect(); // stop observing
    } catch(e) {}

// start observing
observer.observe(document.body, {
  childList: true

wix (reporter)
2019-01-16 02:53
edited on: 2019-01-16 02:55


I have the same issue with SOGo 4.0.5

For me this problem is not only related to the logout of the CAS, but also randomly

I fix with this rule on my proxypass :
ProxyPassMatch "^/SOGo/so/(.*)/recover" "!"
RedirectMatch "^/SOGo/so/(.*)/recover(.*)" "" [^]

But I think it's not a good solution

Thank you to check. This problem has existed since 2011 ( [^] )


- Issue History
Date Modified Username Field Change
2018-05-16 11:13 vbonamy New Issue
2018-10-18 02:42 vbonamy Note Added: 0013117
2018-10-22 09:26 vbonamy Note Added: 0013122
2019-01-16 02:53 wix Note Added: 0013260
2019-01-16 02:55 wix Note Edited: 0013260 View Revisions

Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker