Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add option to use server validated sessions #14

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

add option to use server validated sessions #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1be8d45
add option to use server validated sessions
claquesous Dec 14, 2015
599894c
Merge branch 'master' into user_sessions
claquesous Feb 4, 2016
667386b
Merge branch 'master' into user_sessions
claquesous Jun 22, 2016
665dd66
Merge branch 'master' into user_sessions
claquesous Dec 30, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion onelogin-saml-sso/php/configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,13 +156,17 @@ function onelogin_saml_configuration() {
'onelogin_saml_advanced_settings_want_message_signed' => __('Reject Unsigned Messages', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_want_assertion_signed' => __('Reject Unsigned Assertions', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_want_assertion_encrypted' => __('Reject Unencrypted Assertions', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_retrieve_parameters_from_server' => __('Retrieve Parameters From Server', 'onelogin-saml-sso')
'onelogin_saml_advanced_settings_retrieve_parameters_from_server' => __('Retrieve Parameters From Server', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_use_server_sessions' => __('Use Server Sessions', 'onelogin-saml-sso'),
);
foreach ($mapping_fields as $name => $description) {
register_setting($option_group, $name);
add_settings_field($name, $description, "plugin_setting_boolean_$name", $option_group, 'advanced_settings');
}

register_setting($option_group, 'onelogin_saml_advanced_settings_server_session_timeout');
add_settings_field('onelogin_saml_advanced_settings_server_session_timeout', __('Server Session Timeout', 'onelogin-saml-sso'), "plugin_setting_string_onelogin_saml_advanced_settings_server_session_timeout", $option_group, 'advanced_settings');

register_setting($option_group, 'onelogin_saml_advanced_nameidformat');
add_settings_field('onelogin_saml_advanced_nameidformat', __('NameIDFormat', 'onelogin-saml-sso'), "plugin_setting_select_onelogin_saml_advanced_nameidformat", $option_group, 'advanced_settings');

Expand Down Expand Up @@ -454,6 +458,19 @@ function plugin_setting_boolean_onelogin_saml_advanced_settings_retrieve_paramet
'<p class="description">'.__('Sometimes when the app is behind a firewall or proxy, the query parameters can be modified an this affects the signature validation process on HTTP-Redirectbinding. Active this when you noticed signature validation failures, the plugin will try to extract the original query parameters.', 'onelogin-saml-sso').'</p>';
}

function plugin_setting_boolean_onelogin_saml_advanced_settings_use_server_sessions() {
$value = get_option('onelogin_saml_advanced_settings_use_server_sessions', false);
echo '<input type="checkbox" name="onelogin_saml_advanced_settings_use_server_sessions" id="onelogin_saml_advanced_settings_use_server_sessions"
'.($value ? 'checked="checked"': '').'>'.
'<p class="description">'.__('Use server sessions to ensure a user may only have one active login at any time, and that their session is cleared on logout.', 'onelogin-saml-sso').'</p>';
}

function plugin_setting_string_onelogin_saml_advanced_settings_server_session_timeout() {
echo '<input type="text" name="onelogin_saml_advanced_settings_server_session_timeout" id="onelogin_saml_advanced_settings_server_session_timeout"
value= "'.get_option('onelogin_saml_advanced_settings_server_session_timeout').'" size="30">'.
'<p class="description">'.__('Timeout value in seconds at which point the user session becomes invalid. (Defaults to one year if unset.)', 'onelogin-saml-sso').'</p>';
}

function plugin_setting_select_onelogin_saml_advanced_nameidformat() {
$nameidformat_value = get_option('onelogin_saml_advanced_nameidformat');
$posible_nameidformat_values = array(
Expand Down
58 changes: 54 additions & 4 deletions onelogin-saml-sso/php/functions.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,14 +56,35 @@ function saml_user_register() {
}

function saml_sso() {
if (is_user_logged_in()) {
return true;
$force_authentication = false;
$user_id = get_current_user_id();
if ($user_id!==0) {
if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) {
if (isset($_COOKIE['saml_nameid']) && isset($_COOKIE['saml_sessionindex'])) {
$idp_suffix = '_' . get_option('onelogin_saml_idp_entityid');
$session = get_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, true);
$nameid = get_user_meta($user_id, 'saml_nameid' . $idp_suffix, true);
$logintime = get_user_meta($user_id, 'saml_login_time' . $idp_suffix, true);
$timeout = (int)get_option('onelogin_saml_advanced_settings_server_session_timeout', 0);
$timeout = ($timeout == 0) ? YEAR_IN_SECONDS : $timeout;
if ($_COOKIE['saml_nameid']===$nameid && $_COOKIE['saml_sessionindex']===$session && time() - $logintime < $timeout ) {
return true;
}
$force_authentication = true;
}
} else {
return true;
}
}
if ( defined('DOING_AJAX') && DOING_AJAX) {
http_response_code(401);
exit();
}
$auth = initialize_saml();
if (isset($_SERVER['REQUEST_URI']) && !isset($_GET['saml_sso'])) {
$auth->login($_SERVER['REQUEST_URI']);
$auth->login($_SERVER['REQUEST_URI'], [], $force_authentication);
} else {
$auth->login();
$auth->login(null, [], $force_authentication);
}
exit();
}
Expand Down Expand Up @@ -263,6 +284,15 @@ function saml_acs() {
} else if ($user_id) {
wp_set_current_user($user_id);
wp_set_auth_cookie($user_id);
if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) {
$idp_suffix = '_' . get_option('onelogin_saml_idp_entityid');
delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix);
delete_user_meta($user_id, 'saml_nameid' . $idp_suffix);
delete_user_meta($user_id, 'saml_login_time' . $idp_suffix);
add_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, $auth->getSessionIndex());
add_user_meta($user_id, 'saml_nameid' . $idp_suffix, $auth->getNameId());
add_user_meta($user_id, 'saml_login_time' . $idp_suffix, time());
}
setcookie('saml_login', 1, time() + YEAR_IN_SECONDS, SITECOOKIEPATH );
#do_action('wp_login', $user_id);
#wp_signon($user_id);
Expand Down Expand Up @@ -299,10 +329,30 @@ function saml_sls() {
}
$errors = $auth->getErrors();
if (empty($errors)) {
$user_id = get_current_user_id();
wp_logout();
setcookie('saml_login', 0, time() - 3600, SITECOOKIEPATH );
setcookie('saml_nameid', null, time() - 3600, SITECOOKIEPATH );
setcookie('saml_sessionindex', null, time() - 3600, SITECOOKIEPATH );
if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) {
$idp_suffix = '_' . get_option('onelogin_saml_idp_entityid');
$logintime = get_user_meta($user_id, 'saml_login_time' . $idp_suffix, true);
$timeout = (int)get_option('onelogin_saml_advanced_settings_server_session_timeout', 0);
$timeout = ($timeout == 0) ? YEAR_IN_SECONDS : $timeout;
if (time() - $logintime >= $timeout ) {
delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix);
delete_user_meta($user_id, 'saml_nameid' . $idp_suffix);
delete_user_meta($user_id, 'saml_login_time' . $idp_suffix);
} elseif (isset($_COOKIE['saml_nameid']) && isset($_COOKIE['saml_sessionindex'])) {
$session = get_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, true);
$nameid = get_user_meta($user_id, 'saml_nameid' . $idp_suffix, true);
if ($_COOKIE['saml_nameid']===$nameid && $_COOKIE['saml_sessionindex']===$session) {
delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix);
delete_user_meta($user_id, 'saml_nameid' . $idp_suffix);
delete_user_meta($user_id, 'saml_login_time' . $idp_suffix);
}
}
}

if (get_option('onelogin_saml_forcelogin') && get_option('onelogin_saml_customize_stay_in_wordpress_after_slo')) {
wp_redirect(home_url().'/wp-login.php?loggedout=true');
Expand Down