Skip to end of metadata
Go to start of metadata
Table of Contents

phpCAS clustering

phpCAS should work in clustered environments like any other PHP app that needs session. This normally mean that you need a shared session storage between your node. (Sharing Session files via NFS, a session DB) or sticky sessions done by a load balancer.

However there are advanced use cases where this is a bit more complicated. The cases a single sign-out and proxy mode. The reason for this is that in both cases the cas server issues an independent command (HTTP POST) to the webserver url the client is connected to. In a cluster this POST will hit any of your nodes and there is a good chance (n-1/n in a n-way cluster) that you hit the wrong node which the user is not connected to. The node then simply lacks the session info of the user to process the request.

proxy mode

During the proxy handshake the CAS server send a PGT and a PGTiou pair back to the server that wants to proxy in the name of a user. This PGTiou has to be matched with the PGTiou the user has obtained from the cas server. If the user and cas server both hit different cluster nodes these nodes need to share their PGT to process the request. This can be done by a share (NFS) file storage on in a central database that you use for the PGTStorage.

Single Sign-Out

Since the cas server has to destroy the users session remotely this can be handled by a central PHP session storage for all your cluster nodes.This could be a shared directory or a database. This is however a very trick subject and has to be done for the whole php installation. If you are working with sticky sessions and have no central session storage this does not work yet.

Rebroadcast

It's a new feature that we developed, is currently working in the developer version of cas and will appear in the next 1.3.0 release. You simply have to make your phpcas clients aware of all other cluster members and then phpcas will simply rebroadcast the logout/proxy command to all other cluster members. This will ensure that all cluster member recieve the logout/proxy command.

  • No labels