middleware: clear PASSIVE_TRIED_COOKIE when logged in (#67084)

mellon/middleware.py

@@ -31,7 +31,10 @@ class PassiveAuthenticationMiddleware(MiddlewareMixin):
         if (
             app_settings.OPENED_SESSION_COOKIE_NAME
             and PASSIVE_TRIED_COOKIE in request.COOKIES
-            and app_settings.OPENED_SESSION_COOKIE_NAME not in request.COOKIES
+            and (
+                app_settings.OPENED_SESSION_COOKIE_NAME not in request.COOKIES
+                or (hasattr(request, 'user') and request.user.is_authenticated)
+            )
         ):
             response.delete_cookie(PASSIVE_TRIED_COOKIE)
         return response

tests/test_sso_slo.py

@@ -717,12 +717,14 @@ def test_passive_auth_middleware_ok(db, app, idp, caplog, settings):
     url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
     response = app.post(reverse('mellon_login'), params={'SAMLResponse': body, 'RelayState': relay_state})
     assert app.session['mellon_opened_session_cookie'] == '5678'
+    assert 'MELLON_PASSIVE_TRIED' not in app.cookies
     assert '_auth_user_id' in app.session
     # ok change the idp session id
     app.set_cookie('IDP_SESSION', '1234')
     # if we try a request, we are logged out and redirected to try a new passive login
     response = app.get('/', headers={'Accept': 'text/html'}, status=302)
     assert '_auth_user_id' not in app.session
+    assert 'MELLON_PASSIVE_TRIED' in app.cookies
 
 
 def test_passive_auth_middleware_no_passive_auth_parameter(db, app, idp, caplog, settings):