Skip to content

Session adjustment to CAS/Client.php for Mahara 15.04 #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robertlyon777 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Session adjustment to CAS/Client.php for Mahara 15.04 #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 77 additions & 60 deletions CAS/CAS/Client.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -881,6 +881,7 @@ public function __construct(
$server_uri,
$changeSessionID = true
) {
global $SESSION;
// Argument validation
if (gettype($server_version) != 'string')
throw new CAS_TypeMismatchException($server_version, '$server_version', 'string');
Expand Down Expand Up @@ -911,14 +912,14 @@ public function __construct(

// Make cookie handling available.
if ($this->isProxy()) {
if (!isset($_SESSION['phpCAS'])) {
$_SESSION['phpCAS'] = array();
if ($SESSION->get('phpCAS') == null) {
$SESSION->set('phpCAS', array());
}
if (!isset($_SESSION['phpCAS']['service_cookies'])) {
$_SESSION['phpCAS']['service_cookies'] = array();
if ($SESSION->get('phpCAS/service_cookies') == null) {
$SESSION->set('phpCAS/service_cookies', array());
}
$this->_serviceCookieJar = new CAS_CookieJar(
$_SESSION['phpCAS']['service_cookies']
$SESSION->get('phpCAS/service_cookies')
);
}

Expand Down Expand Up @@ -1218,10 +1219,11 @@ public function getAttribute($key)
*/
public function renewAuthentication()
{
global $SESSION;
phpCAS::traceBegin();
// Either way, the user is authenticated by CAS
if (isset( $_SESSION['phpCAS']['auth_checked'])) {
unset($_SESSION['phpCAS']['auth_checked']);
if ($SESSION->get('phpCAS/auth_checked') != null) {
$SESSION->set('phpCAS/auth_checked', null);
}
if ( $this->isAuthenticated() ) {
phpCAS::trace('user already authenticated; renew');
Expand All @@ -1240,6 +1242,7 @@ public function renewAuthentication()
*/
public function forceAuthentication()
{
global $SESSION;
phpCAS::traceBegin();

if ( $this->isAuthenticated() ) {
Expand All @@ -1248,8 +1251,8 @@ public function forceAuthentication()
$res = true;
} else {
// the user is not authenticated, redirect to the CAS server
if (isset($_SESSION['phpCAS']['auth_checked'])) {
unset($_SESSION['phpCAS']['auth_checked']);
if ($SESSION->get('phpCAS/auth_checked') != null) {
$SESSION->set('phpCAS/auth_checked', null);
}
$this->redirectToCas(false/* no gateway */);
// never reached
Expand Down Expand Up @@ -1291,36 +1294,37 @@ public function setCacheTimesForAuthRecheck($n)
*/
public function checkAuthentication()
{
global $SESSION;
phpCAS::traceBegin();
$res = false;
if ( $this->isAuthenticated() ) {
phpCAS::trace('user is authenticated');
/* The 'auth_checked' variable is removed just in case it's set. */
unset($_SESSION['phpCAS']['auth_checked']);
$SESSION->set('phpCAS/auth_checked', null);
$res = true;
} else if (isset($_SESSION['phpCAS']['auth_checked'])) {
} else if ($SESSION->get('phpCAS/auth_checked') != null) {
// the previous request has redirected the client to the CAS server
// with gateway=true
unset($_SESSION['phpCAS']['auth_checked']);
$SESSION->set('phpCAS/auth_checked', null);
$res = false;
} else {
// avoid a check against CAS on every request
if (!isset($_SESSION['phpCAS']['unauth_count'])) {
$_SESSION['phpCAS']['unauth_count'] = -2; // uninitialized
if ($SESSION->get('phpCAS/unauth_count') == null) {
$SESSION->set('phpCAS/unauth_count', -2); // uninitialized
}

if (($_SESSION['phpCAS']['unauth_count'] != -2
if (($SESSION->get('phpCAS/unauth_count') != -2
&& $this->_cache_times_for_auth_recheck == -1)
|| ($_SESSION['phpCAS']['unauth_count'] >= 0
&& $_SESSION['phpCAS']['unauth_count'] < $this->_cache_times_for_auth_recheck)
|| ($SESSION->get('phpCAS/unauth_count') >= 0
&& $SESSION->get('phpCAS/unauth_count') < $this->_cache_times_for_auth_recheck)
) {
$res = false;

if ($this->_cache_times_for_auth_recheck != -1) {
$_SESSION['phpCAS']['unauth_count']++;
$SESSION->set('phpCAS/unauth_count', $SESSION->get('phpCAS/unauth_count') + 1);
phpCAS::trace(
'user is not authenticated (cached for '
.$_SESSION['phpCAS']['unauth_count'].' times of '
.$SESSION->get('phpCAS/unauth_count').' times of '
.$this->_cache_times_for_auth_recheck.')'
);
} else {
Expand All @@ -1329,8 +1333,8 @@ public function checkAuthentication()
);
}
} else {
$_SESSION['phpCAS']['unauth_count'] = 0;
$_SESSION['phpCAS']['auth_checked'] = true;
$SESSION->set('phpCAS/unauth_count', 0);
$SESSION->set('phpCAS/auth_checked', true);
phpCAS::trace('user is not authenticated (cache reset)');
$this->redirectToCas(true/* gateway */);
// never reached
Expand All @@ -1350,6 +1354,7 @@ public function checkAuthentication()
*/
public function isAuthenticated()
{
global $SESSION;
phpCAS::traceBegin();
$res = false;
$validate_url = '';
Expand Down Expand Up @@ -1394,7 +1399,7 @@ public function isAuthenticated()
phpCAS::trace(
'CAS 1.0 ticket `'.$this->getTicket().'\' was validated'
);
$_SESSION['phpCAS']['user'] = $this->_getUser();
$SESSION->set('phpCAS/user', $this->_getUser());
$res = true;
$logoutTicket = $this->getTicket();
break;
Expand All @@ -1415,15 +1420,15 @@ public function isAuthenticated()
$validate_url, $text_response, $tree_response
); // idem
phpCAS::trace('PGT `'.$this->_getPGT().'\' was validated');
$_SESSION['phpCAS']['pgt'] = $this->_getPGT();
$SESSION->set('phpCAS/pgt', $this->_getPGT());
}
$_SESSION['phpCAS']['user'] = $this->_getUser();
$SESSION->set('phpCAS/user', $this->_getUser());
if (!empty($this->_attributes)) {
$_SESSION['phpCAS']['attributes'] = $this->_attributes;
$SESSION->set('phpCAS/attributes', $this->_attributes);
}
$proxies = $this->getProxies();
if (!empty($proxies)) {
$_SESSION['phpCAS']['proxies'] = $this->getProxies();
$SESSION->set('phpCAS/proxies', $this->getProxies());
}
$res = true;
$logoutTicket = $this->getTicket();
Expand All @@ -1439,8 +1444,8 @@ public function isAuthenticated()
phpCAS::trace(
'SAML 1.1 ticket `'.$this->getTicket().'\' was validated'
);
$_SESSION['phpCAS']['user'] = $this->_getUser();
$_SESSION['phpCAS']['attributes'] = $this->_attributes;
$SESSION->set('phpCAS/user', $this->_getUser());
$SESSION->set('phpCAS/attributes', $this->_attributes);
$res = true;
$logoutTicket = $this->getTicket();
break;
Expand Down Expand Up @@ -1488,11 +1493,12 @@ public function isAuthenticated()
/**
* This method tells if the current session is authenticated.
*
* @return true if authenticated based soley on $_SESSION variable
* @return true if authenticated based soley on $SESSION variable
*/
public function isSessionAuthenticated ()
{
return !empty($_SESSION['phpCAS']['user']);
global $SESSION;
return !empty($SESSION->get('phpCAS/user'));
}

/**
Expand All @@ -1505,6 +1511,7 @@ public function isSessionAuthenticated ()
*/
private function _wasPreviouslyAuthenticated()
{
global $SESSION;
phpCAS::traceBegin();

if ( $this->_isCallbackMode() ) {
Expand All @@ -1520,50 +1527,58 @@ private function _wasPreviouslyAuthenticated()
if ( $this->isProxy() ) {
// CAS proxy: username and PGT must be present
if ( $this->isSessionAuthenticated()
&& !empty($_SESSION['phpCAS']['pgt'])
&& !empty($SESSION->get('phpCAS/pgt'))
) {
// authentication already done
$this->_setUser($_SESSION['phpCAS']['user']);
if (isset($_SESSION['phpCAS']['attributes'])) {
$this->setAttributes($_SESSION['phpCAS']['attributes']);
$this->_setUser($SESSION->get('phpCAS/user'));
if ($SESSION->get('phpCAS/attributes') != null) {
$this->setAttributes($SESSION->get('phpCAS/attributes'));
}
$this->_setPGT($_SESSION['phpCAS']['pgt']);
$this->_setPGT($SESSION->get('phpCAS/pgt'));
phpCAS::trace(
'user = `'.$_SESSION['phpCAS']['user'].'\', PGT = `'
.$_SESSION['phpCAS']['pgt'].'\''
'user = '.$SESSION->get('phpCAS/user').'\', PGT = '
.$SESSION->get('phpCAS/pgt').'\''
);

// Include the list of proxies
if (isset($_SESSION['phpCAS']['proxies'])) {
$this->_setProxies($_SESSION['phpCAS']['proxies']);
if ($SESSION->get('phpCAS/proxies') != null) {
$this->_setProxies($SESSION->get('phpCAS/proxies'));
phpCAS::trace(
'proxies = "'
.implode('", "', $_SESSION['phpCAS']['proxies']).'"'
.implode('", "', $SESSION->get('phpCAS/proxies')).'"'
);
}

$auth = true;
} elseif ( $this->isSessionAuthenticated()
&& empty($_SESSION['phpCAS']['pgt'])
&& empty($SESSION->get('phpCAS/pgt'))
) {
// these two variables should be empty or not empty at the same time
phpCAS::trace(
'username found (`'.$_SESSION['phpCAS']['user']
'username found (`'.$SESSION->get('phpCAS/user')
.'\') but PGT is empty'
);
// unset all tickets to enforce authentication
unset($_SESSION['phpCAS']);
$SESSION->set('phpCAS', null);
$SESSION->set('phpCAS/user', null);
$SESSION->set('phpCAS/attributes', null);
$SESSION->set('phpCAS/pgt', null);
$SESSION->set('phpCAS/proxies', null);
$this->setTicket('');
} elseif ( !$this->isSessionAuthenticated()
&& !empty($_SESSION['phpCAS']['pgt'])
&& !empty($SESSION->get('phpCAS/pgt'))
) {
// these two variables should be empty or not empty at the same time
phpCAS::trace(
'PGT found (`'.$_SESSION['phpCAS']['pgt']
'PGT found (`'.$SESSION->get('phpCAS/pgt')
.'\') but username is empty'
);
// unset all tickets to enforce authentication
unset($_SESSION['phpCAS']);
$SESSION->set('phpCAS', null);
$SESSION->set('phpCAS/user', null);
$SESSION->set('phpCAS/attributes', null);
$SESSION->set('phpCAS/pgt', null);
$SESSION->set('phpCAS/proxies', null);
$this->setTicket('');
} else {
phpCAS::trace('neither user nor PGT found');
Expand All @@ -1572,18 +1587,18 @@ private function _wasPreviouslyAuthenticated()
// `simple' CAS client (not a proxy): username must be present
if ( $this->isSessionAuthenticated() ) {
// authentication already done
$this->_setUser($_SESSION['phpCAS']['user']);
if (isset($_SESSION['phpCAS']['attributes'])) {
$this->setAttributes($_SESSION['phpCAS']['attributes']);
$this->_setUser($SESSION->get('phpCAS/user'));
if ($SESSION->get('phpCAS/attributes') != null) {
$this->setAttributes($SESSION->get('phpCAS/attributes'));
}
phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\'');
phpCAS::trace('user = `'.$SESSION->get('phpCAS/user').'\'');

// Include the list of proxies
if (isset($_SESSION['phpCAS']['proxies'])) {
$this->_setProxies($_SESSION['phpCAS']['proxies']);
if ($SESSION->get('phpCAS/proxies') != null) {
$this->_setProxies($SESSION->get('phpCAS/proxies'));
phpCAS::trace(
'proxies = "'
.implode('", "', $_SESSION['phpCAS']['proxies']).'"'
.implode('", "', $SESSION->get('phpCAS/proxies')).'"'
);
}

Expand Down Expand Up @@ -1637,6 +1652,7 @@ public function redirectToCas($gateway=false,$renew=false)
*/
public function logout($params)
{
global $SESSION;
phpCAS::traceBegin();
$cas_url = $this->getServerLogoutURL();
$paramSeparator = '?';
Expand All @@ -1652,8 +1668,7 @@ public function logout($params)
header('Location: '.$cas_url);
phpCAS::trace("Prepare redirect to : ".$cas_url);

session_unset();
session_destroy();
$SESSION->destroy_session();
$lang = $this->getLangObj();
$this->printHTMLHeader($lang->getLogout());
printf('<p>'.$lang->getShouldHaveBeenRedirected(). '</p>', $cas_url);
Expand Down Expand Up @@ -1684,6 +1699,7 @@ private function _isLogoutRequest()
*/
public function handleLogoutRequests($check_client=true, $allowed_clients=false)
{
global $SESSION;
phpCAS::traceBegin();
if (!$this->_isLogoutRequest()) {
phpCAS::trace("Not a logout request");
Expand Down Expand Up @@ -1764,7 +1780,7 @@ public function handleLogoutRequests($check_client=true, $allowed_clients=false)
// destroy a possible application session created before phpcas
if (session_id() !== "") {
session_unset();
session_destroy();
$SESSION->destroy_session();
}
// fix session ID
session_id($session_id);
Expand All @@ -1774,7 +1790,7 @@ public function handleLogoutRequests($check_client=true, $allowed_clients=false)
// Overwrite session
session_start();
session_unset();
session_destroy();
$SESSION->destroy_session();
phpCAS::trace("Session ". $session_id . " destroyed");
}
} else {
Expand Down Expand Up @@ -3575,19 +3591,20 @@ private function _buildQueryUrl($url, $query)
*/
private function _renameSession($ticket)
{
global $SESSION;
phpCAS::traceBegin();
if ($this->getChangeSessionID()) {
if (!empty($this->_user)) {
$old_session = $_SESSION;
$old_session = $SESSION;
phpCAS :: trace("Killing session: ". session_id());
session_destroy();
$SESSION->destroy_session();
// set up a new session, of name based on the ticket
$session_id = preg_replace('/[^a-zA-Z0-9\-]/', '', $ticket);
phpCAS :: trace("Starting session: ". $session_id);
session_id($session_id);
session_start();
phpCAS :: trace("Restoring old session vars");
$_SESSION = $old_session;
$SESSION = $old_session;
} else {
phpCAS :: error(
'Session should only be renamed after successfull authentication'
Expand Down