From 4446d4c5b8885cf1dfef4eb20ef074ca7e5ec972 Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Tue, 14 Dec 2021 12:45:28 +0100
Subject: [PATCH] fix: ensure that frontchannel logout unconditionally returns
 OK

---
 pkg/router/handler_frontchannellogout.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/pkg/router/handler_frontchannellogout.go b/pkg/router/handler_frontchannellogout.go
index 80bc033..3f9af12 100644
--- a/pkg/router/handler_frontchannellogout.go
+++ b/pkg/router/handler_frontchannellogout.go
@@ -1,7 +1,6 @@
 package router
 
 import (
-	"fmt"
 	"net/http"
 
 	log "github.com/sirupsen/logrus"
@@ -9,12 +8,18 @@ import (
 
 // FrontChannelLogout triggers logout triggered by a third-party.
 func (h *Handler) FrontChannelLogout(w http.ResponseWriter, r *http.Request) {
-	params := r.URL.Query()
+	// Unconditionally return HTTP 200 OK
+	w.WriteHeader(http.StatusOK)
 
+	params := r.URL.Query()
 	sid := params.Get("sid")
 
+	// Unconditionally destroy all local references to the session.
+	h.deleteCookie(w, h.GetSessionCookieName())
+
 	if len(sid) == 0 {
-		h.BadRequest(w, r, fmt.Errorf("front-channel logout: sid not set in query parameter"))
+		log.Info("sid parameter not set in request; ignoring")
+		h.DeleteSessionFallback(w, r)
 		return
 	}
 
@@ -25,8 +30,4 @@ func (h *Handler) FrontChannelLogout(w http.ResponseWriter, r *http.Request) {
 		log.Error(err)
 		// Session is already destroyed at the OP and is highly unlikely to be used again.
 	}
-
-	// Unconditionally destroy all local references to the session.
-	h.deleteCookie(w, h.GetSessionCookieName())
-	w.WriteHeader(http.StatusOK)
 }