I had to update simplesamlphp on an old PHP server, the old version of the library was from 2010. Simplesamlphp is used as a Service Provider (SP) in a SP initiated enviroment.
I replaced it with the 09/'20 release and configured it the same. It's all working except one thing.
Simplesamlphp uses the PHPSESSION to store the session, by feature it replaces the php session with his and should set the old one again once the cleanup() method is called (on the session instance), after the authentication's complete.
This is not working, but I was fine with it because it didn't matter for the user.
Now I have to implement a button to test the SAML integration on a protected page. By protected I mean it requires to be authenticated (through Zend Auth) to view the page, otherwise it automatically redirects (server side) the user to the homepage.
This is the code of the Action of this button (to test the SAML integration), that is inside this protected controller:
require_once('simplesaml/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('cie');
$as->requireAuth(array(
'saml:idp' => $idp,
));
// --- user is redirected to the IDP and proceeds authenticating)...
$attributes = $as->getAttributes();
$session = \SimpleSAML\Session::getSessionFromRequest();
if($session){
$session->cleanup();
}
What happens is:
- requireAuth() is called, my current session is put away and replaced with SimpleSAML's one.
- user is redirected to the IDP and authenticates
- IDP redirects the user back to my page
- Zend does its things before my code is run (everything after requireAuth() is never run) and before the cleanup() method is called, so the old PHP session isn't restored
- Zend checks the user isn't authenticated (because it's still using SimpleSAML's session) and redirects the user back to the homepage.
Said so, this doesn't happen with the old library from 2010, the old PHP session is never lost, I have no idea why. I checked everything my colleagues changed in the old library back in the day, but there isn't anything that deals with this.
Do anyone have any idea or tip I could follow? Any workaround / idea to fix this issue?
I've been desperately googling stuff for weeks, but it's so hard to find something specific.
Thank you very much, just for reading this long question.
CodePudding user response:
I managed to fix this issue very easily after many many hours, I'll write down what I did in case it may help someone else.
My problems were:
- simplesamlphp using the same name for the session cookie as my application (I previously already tried changing this setting, but because of the second reason below it never worked)
- not properly cleaning simplesamlphp session in my code
So, first all of, I added a call to the cleanup method because it was missing on the real page, the code posted on my question is the test page, this is the real page where it was missing a call to cleanup.
$as->requireAuth(array(
'saml:idp' => $idp,
));
$attributes = $as->getAttributes();
$session = \SimpleSAML\Session::getSessionFromRequest();
if($session){
$session->cleanup();
}
Without calling cleanup() any value I put on the property session.phpsession.cookiename besides NULL ( =use PHP's setting) caused the session to completely break.
So after adding cleanup() I can now specify a value for the property session.phpsession.cookiename (\config\config.php). I specified a value different (because this was the problem) from the name used by PHP, that is the default value PHPSESSID.
'session.phpsession.cookiename' => 'hSAMLses'
And now it's all working peacefully, hope this answer helps someone because I really struggled too much.