PhpMyAdmin SSO注销

Question

我正在使用PhpMyAdmin和自定义单点登录(SSO)脚本直接登录界面.由我自己的系统给出一个唯一的登录令牌,PHP调用SSO脚本.此脚本在我的系统中查找唯一ID,以便检索MySQL用户名和密码,并将其返回给PhpMyAdmin.

到目前为止这是有效的,但我的下一个目标是在一定程度的不活动后自动注销.如果没有SSO,删除我的浏览器cookie并单击任何链接,我会进入登录页面,并显示消息»您的会话已过期.请再次登录.«.但是,我无法从我的SSO脚本中重现此行为.

这是我的SSO脚本:

<?php

/**
 * Session timeout in seconds.
 */
define('SESSION_TIMEOUT', 60);

/**
 * @return array|null Returns an array with login credentials or null for no login.
 */
function get_login_credentials() {
    parse_str($_SERVER['QUERY_STRING'], $query);

    /* check for session activity (timeout) */
    if (isset($_SESSION['ssoLastActivity']) && (time() - $_SESSION['ssoLastActivity']) > SESSION_TIMEOUT) {
        $sessionExpired = true;
    } else {
        $sessionExpired = false;
    }

    if (isset($query['old_usr'])) {
        /* logout and back to index page */
        unset($_SESSION['ssoLastActivity']);
        unset($_SESSION['ssoUser']);
        unset($_SESSION['ssoPassword']);
        header('Location: index.php');
        exit;
    }

    if ($sessionExpired) {
        unset($_SESSION['ssoLastActivity']);
        unset($_SESSION['ssoUser']);
        unset($_SESSION['ssoPassword']);

        /******** POINT OF QUESTION ********/
        /* I'm trying to give the same response as if the cookies were deleted.
           I land on the login page as desired, however I'm missing the session
           timeout message. */
        header('Content-Type: application/json');
        echo json_encode(['redirect_flag' => '1', 'success' => false, 'error' => '']);
        exit;
        /***********************************/
    }

    /* update session activity timestamp */
    $_SESSION['ssoLastActivity'] = time();

    if (!empty($_SESSION['ssoUser']) && !empty($_SESSION['ssoPassword'])) {
        /* already logged in */
        return [
            $_SESSION['ssoUser'],
            $_SESSION['ssoPassword'],
        ];
    }

    /* retrieve MySQL login credentials here and store them in $user and $password */

    /* $user = ...; $password = ...; */

    return [
        $user,
        $password,
    ];
}

有没有人通过我的SSO脚本注销解决方案,这会导致我进入带有消息的登录页面,会话已过期？

更新:

该问题似乎与我的PhpMyAdmin服务器配置相关(在我的案例中为/etc/phpMyAdmin/servers.ini.php):

<?php
$cfg['Servers'] = array(
    1 => array('auth_type' => 'signon', ..., 'SignonScript' => '/usr/share/phpMyAdmin/sso.php', 'SignonURL' => 'index.php?server=1'),
    2 => array('auth_type' => 'cookie', ...)
);

我在会话超时后检查了网络请求,事实证明,实际上有一个请求?session_expired=1(触发会话超时消息)发送到服务器1; 因为此脚本返回null(无登录),它重定向到SignonURL index.php？server = 1,省略额外的session_expired查询参数.

我可以通过&session_expired = 1扩展此URL ,但是这也会在定期注销时触发消息.

我愿意接受改善行为的任何想法.