I'm trying to create my own authentication module on SimpleSAMLphp using this class :
https://github.com/simplesamlphp/simplesamlphp/blob/v1.18.8/modules/exampleauth/lib/Auth/Source/External.php
The goal is to create an IdP initiated login so the users only have to click on a link to go to the SP.
I followed all the instructions but i can't use my own session in this class in the getUser function.
After debugging i figured my session gets overwritten by SimpleSAMLphp session.
If i break the code on the getUser function ( i called a function on a null object by accident ), my session isn't erased, which i think is weird. Maybe it resets my session on failure ?
I tried
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
and
$session = \SimpleSAML\Session::getSession();
$session->cleanup();
How can i use my own session in this situation ?
Thank you
I'm using the same SimpleSAMLphp installation for both IdP and SP ( 2 different workflows ), is this problematic ? Should i install it twice if i need both SP & IdP ?
I'm using simpleSAMLphp v1.18.8 with php5.6.
Thank you.
Related
Is it possible to tell codeigniter to skip session timeout reset if post request is coming via ajax to a particular controller function. I have a frequent ajax call inside user login dashboard to check something, but these calls keeps the session alive so even if the user stays inactive for 10 minutes (sess_expiration time) session wont be killed and they still remain logged in for ever.
If (and only IF) your Ajax call is completely session-agnostic (that is, it doesn't required to be logged in to run, it doesn't need any session data from the user, etc) you could serve the Ajax request from a separate ajax-specific controller and then inhibit the session library autoload when that specific controller is used.
If the ajax call requires a logged in user you're mostly out of luck.
However, if you meet these conditions, find the $autoload['libraries] section in application/config/autoload.php and use this dirty hack:
// Here, an array with the libraries you want/need to be loaded on every controller
$autoload['libraries'] = array('form_validation');
// Dirty hack to avoid loading the session library on controllers that don't use session data and don't require the user to have an active session
$CI =& get_instance();
// uncomment the one that fits you better
// Alternative 1: you only have a single controller that doesn't need the session library
// if ($CI->router->fetch_class() != 'dmz') array_push($autoload['libraries'], 'session');
// END alternative 1
// Alternative 2: you have more than one controller that doesn't need the session library
// if (array_search($CI->router->fetch_class(), array('dmz', 'moredmz')) === false) array_push($autoload['libraries'], 'session');
// END alternative 2
In the above code, dmz and moredmz are my two imaginary controller names that require the session library to not be loaded. Whenever these are NOT used, the session library is pushed into autoload and thus loaded. Otherwise, the session library is ignored.
I actually have this running on one of my sites in order to allow the health checks from my loadbalancer to run (once every 5 seconds on each application server, from both the primary loadbalancer and its backup) and fill up my sessions table with useless data and works like a charm.
Not sure what version of CI you're using, but the above code is tested on CI 3.1.11.
Now, as you state the Ajax call requires the session driver, the only way around this would be to mess a little with the Session driver itself. In 3.1.11, the session driver is located in system/libraries/Session/Session.php and the part you'd need to change is the final part of the constructor method (look from line 160 onwards). For this example, I'll assume your Ajax calls are handled by a specific controller called "Ajax"
// This is from line 160 onwards
elseif (isset($_COOKIE[$this->_config['cookie_name']]) && $_COOKIE[$this->_config['cookie_name']] === session_id())
{
$CI =& get_instance();
$new_validity = ($CI->router->fetch_class() !== 'ajax') ? time() + $this->_config['cookie_lifetime'] : $_SESSION['__ci_last_regenerate'] + $this->_config['cookie_lifetime'];
setcookie(
$this->_config['cookie_name'],
session_id(),
(empty($this->_config['cookie_lifetime']) ? 0 : $new_validity),
$this->_config['cookie_path'],
$this->_config['cookie_domain'],
$this->_config['cookie_secure'],
TRUE
);
}
$this->_ci_init_vars();
log_message('info', "Session: Class initialized using '".$this->_driver."' driver.");
In a nutshell, this example (haven't tested it so please do before deploying it, it may have a typo or two) will first instantiate the CI core and get the controller name from the Router. If it's a regular controller, it'll determine the new cookie validity as "now plus the cookie validity from the config". If it's the ajax controller, the cookie validity will be the same as the current validity (last regeneration time plus cookie validity.. had to reiterate it as the ternary operator requires it)
Afterwards, the setcookie is modified to use the pre-computed cookie validity depending on what the _config['cookie_lifetime'] value is.
Background: I am trying to set up single sign on (SSO) for users such that they can authenticate to my website and not have to authenticate a second time to our third-party MSP's website. Ideally, the user clicks a link on our website and is taken to the third-party site already logged in and landing on the dashboard (if the account doesn't exist, it is created during this step). We are not using SAML for authentication as a security feature, so all that we need the SAML code for is just producing cookies that prevent the user from having to log in again when he/she gets to our vendor's site. This third party MSP does not support authentication via API or web service and therefore I have been tasked with implementing SAML, their only supported SSO method. I am new to SAML (but not PHP or development) and have been learning as I go. I am told it will support the goals described above.
I initially tried using LDAP as the authentication source as this is what I use for authentication to my website, but this resulted in me getting directed to a login page with no discernible way to instead just pass parameters to SimpleSAMLphp to tell it "the user is already authenticated, all I need you to do is give me valid cookies so I can get past the third party website's authentication checks".
So I switched to writing a custom authentication module. I opened up the GitHub for SimpleSAMLphp and used the "UserPassBase" class as an example to create my own authentication module that inherits from the "Source" class. Because I don't need to re-authenticate the user against LDAP a second time since they're already logged in to our website, I created a simple "authenticate" function that just sets the $state['Attributes'] array.
Here is the code for my custom module:
<?php
namespace SimpleSAML\Module\productauth\Auth\Source;
use SimpleSAML\Auth;
/**
Author: Joey
Class developed to be used as a custom authentication module for simpleSAMLphp. This class will take an existing session from a product website and use it to create a SAML session and redirect to a website.
**/
class ProductAuth extends \SimpleSAML\Auth\Source {
const STAGEID = '\SimpleSAML\Module\productauth\Auth\ProductAuth.state';
const AUTHID = '\SimpleSAML\Module\productauth\Auth\ProductAuth.AuthId';
private $user;
public function __construct($info, $config) { // parameters aren't used, just filler from base class
$info = array("AuthId" => "productauth");
parent::__construct($info, $config);
}
public function login($user, $redirectURL) {
$this->user = $user; // normally I'd set this in the constructor, but the overload has my hands tied as far as function definitions go
$this->initLogin($redirectURL); // calls authenticate function and then, if no exceptions, parent::loginCompleted which redirects to the given URL
}
public function authenticate(&$state) { // called by parent::initLogin
$state[self::AUTHID] = $this->authId;
$state['Attributes'] = [
'uid' => [$this->user->uid],
'givenName' => [$this->user->givenName],
'sn' => [$this->user->sn],
'mail' => [$this->user->mail]
];
$id = Auth\State::saveState($state, self::STAGEID);
}
}
?>
I am calling it from a controller class on my website:
private function goToTrainingSite() {
require_once("../third-party-libs/simplesamlphp/_include.php");
global $TRAINING_URL;
$user = $_SESSION['subject']->user;
$samlObj = new SimpleSAML\Module\productauth\Auth\Source\ProductAuth(array(), array());
$samlObj->login($user, $TRAINING_URL);
}
I mimicked the flow of the "UserPassBase" class (https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/core/lib/Auth/UserPassBase.php), but it seems that despite all of my authentication working and setting a SimpleSAMLAuth cookie, when the parent::loginCompleted function in the "Source" class (https://github.com/simplesamlphp/simplesamlphp/blob/master/lib/SimpleSAML/Auth/Source.php) runs, it redirected me to the third party site. I then see the following in the logs:
SAML2.0 - IdP.SSOService: incoming authentication request: [REDACTED DATA]
Session: 'productauth' not valid because we are not authenticated.
I have been trying for 3 days to figure out why it seems as though despite setting SimpleSAML session cookies with a completed, successful authentication, that upon receiving the auth request from the SP, my SimpleSAMLphp code just pretends to not know about the completed auth and tries to authenticate again... but because it is not being called from my code, it doesn't have access to the $user variable which contains all of the attributes I need to place on the user when he/she authenticates to this third party website. It seems that when it receives an authentication request, my SimpleSAMLphp installation starts a new session and tries a brand new authentication.
I have delved into a lot of the code of SimpleSAMLphp and tried to understand what is going on, but it seems that there is just no reasonable way to authenticate by calling an authentication source from PHP code and being able to skip the SP-initiated authentication. I have tried:
Using the SimpleSAML API (https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api) to call my authentication source, but there seems to be no way to pass that $user variable I need the attributes from.
Trying to load the cookies in the "Session" class when it is checking for valid sessions... but it seems like the cookies from the successful auth session initiated by my code are just gone and nowhere to be found.
I decided to stop focusing on trying to get the $user variable and the data I needed to the second authentication, and instead focus on WHY the second authentication was even happening. I looked at the cookies and thought about how the data was being retrieved, and made a correct hunch that our application's custom session handler might be at fault for SimpleSAMLphp's inability to recognize the first authentication. Our custom session handler stores our sessions in the database, but SimpleSAMLphp expects to use the default PHP session handler to manage its session. Therefore, my first authentication was being sent to the database and when SimpleSAMLphp started looking for it where PHP sessions are usually stored, it didn't see it and assumed it needed to kick off another authentication session from scratch.
Using SimpleSAMLphp's documentation for service providers and a lot of my own debugging, I changed the function in my controller like so:
private function goToTrainingSite() {
require_once ("../third-party-libs/simplesamlphp/_include.php");
global $TRAINING_URL;
$joeySiteSession = $_SESSION;
$user = $_SESSION ['subject']->user; // save user to variable before the Joey's Site session is closed
session_write_close (); // close Joey's Site session to allow SimpleSAMLphp session to open
session_set_save_handler ( new SessionHandler (), true ); // stop using SessionHandlerJoey and use default PHP handler for SimpleSAMLphp
$samlObj = new SimpleSAML\Module\joeysiteauth\Auth\Source\JoeySiteAuth ( array (), array () );
$samlObj->login ( $user, function () { return;} ); // use custom authentication module to set atttributes and everything SimpleSAMLphp needs in the auth session/cookie
$session = \SimpleSAML\Session::getSessionFromRequest ();
$session->cleanup (); // must call this function when we are done with SimpleSAMLphp session and intend to use our Joey's Site session again
session_write_close ();
$_SESSION = $joeySiteSession; // restore Joey's Site session
header ( "Location: {$TRAINING_URL}" );
}
So in a recent problem which I was trying to solve I had to authenticate a user from a third party platform and land him/her directly into our dashboard. Ignoring how the authentication works here. The problem is after I authenticate the request I need to modify a cookie 'xyz' before redirecting it to a different route. Now when i tried to do this
setcookie('xyz', 1);
$_COOKIE['xyz'] = 1;
return redirect('/myroute');
would 0 or '' in /myroute Controller method.
But if I add 'xyz' to exceptions of my EncryptCookies middleware of laravel and do
$cookie = cookie('xyz', 1);
return redirect('/myroute')->withCookie($cookie);
That would give me the value of xyz successfully in /myroute Controller method.
What exactly is happening in the later method (the laravel way) and the first way? Its getting pretty confusing because according to what i know cookies can only be queued to be modified but are only modified after the response is returned to the client. Please point me out my mistakes and shed some light.
I have recently updated form 2.2.x to 3.0.0 with following the update procedure from codeigniter's website.
I have having real issues with the new session library - heres the issue.
We have a login section which dependant on the subdomain and user/pass credentials will give you certain privileges from ADMIN / RESELLER / CLIENT / USER
In order to determine the correct privileges for the user we have built a customer LIBRARY (location:application/library) which we have called Session_management, this library DOES NOT extend the core SESSION driver/library and never has and has no extension to another class, this library is also auto-loaded, prior to CI 3.0.0 everything was working fine.
First this the Session_management does is __construct()
$this->CI =& get_instance();
$this->CI->load->model('users');
$this->CI->load->model('clients');
$this->CI->load->model('sessions');
$this->CI->load->driver('session');
$this->CI->load->library('password_hash');
$this->CI->load->helper('url');
$this->users = $this->CI->users;
$this->clients = $this->CI->clients;
$this->sessions = $this->CI->sessions;
$this->session = $this->CI->session;
$this->password_hash = $this->CI->password_hash;
Prior to CI 3.0.0 I has no issues in using the
$this->CI->load->library('session');
but for some unknown reason (to me) I HAVE to load it through the driver
$this->CI->load->diver('session');
if someone could explain why I am having to do it this way that would be great.
When a user submits their user/pass credentials a CONTROLLER session/signin is requested which runs firstly form validation, providing everything is successfully, the Session_management login method is called.
$success = $this->session_management->login
($this->input->post('email'), $this->input->post('password'));
In the LOGIN method in the Session_management class a bunch of sessions are set using
$this->session->set_userdata();
$this->session->set_userdata('user_id', 0);
$this->session->set_userdata('user_name', '');
$this->session->set_userdata('client_id', 0);
$this->session->set_userdata('client_administrator', 0);
$this->session->set_userdata('reseller_administrator', 0);
However when I var_dump() the session for all its session data it has NOTHING and I can't why this is, no session data is there except my protected fields form the config, which I have double checked and triple checked and are working fine, my sess_save_path is storing the session files correctly, and the rest of the sess configs are also correct.
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = '/Users/******/Sites/********/tmp';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
This is a development website on my local OS X iMac, as I say prior to CI 3.0.0 everything was working fine.
Just to add before I get reply's saying "you need to use"
$this->load->library('session');
I have "HAD" to load it as a driver, I don't have a choice, I have read the documentation and have seen how to initialise the session library.
If I do attempt to load it as a library
$this->load->library('session');
This is what I get
A PHP Error was encountered
Severity: Notice
Message: Undefined property: Session::$session
Filename: libraries/Session_management.php
Line Number: 38
For your ref: line 38 is:
$this->session = $this->CI->session;
This is after trying to load the session library
$this->CI->load->library('session');
Also to add to this message re: Database sessions / File session.
Database sessions were my first option, a have revamp the database columns and indexes to suit CI 3.0.0 as the documentation mentions and session were and are storing in the database table when I change my config to use the database, however reading the performance differences between File sessions against Database sessions under high load, File sessions will out perform database session and since the website / platform I am creating will be under high load, database sessions aren't the way forward.
As a note: The website runs under a subdomain.domain.*** structure where subdomain is registered as a company name upon a company registration i.e
mycompany.mywebsiteurl.com
anothercompany.mywebsiteurl.com
As previously mention - prior to my update to CI 3.0.0 it was working fine.
Might I also add: I have checked my log files, I am running tail -f for live log updates - and it don't see any log issues.
Any help, information or anything that could possible put me in the right direction would be appreciated.
I have also posted on the CI forum.
A fresh copy of CI 3.0.0 with necessary files and configs transferred across didn't solve my problem/issue.
What seems to be the whole cause of the problem was the fact I had a controller call Sesssion.php which is named the same as the Driver file.
When CI (Codeigniter) calls
$this->load->library('session')
there are a few checks done before CI knows that you want to actually load the CI_Session class ... class_exists('Session') returns TRUE and it stops there in order to avoid a fatal error.
Hope this helps others too.
I recently created a new symfony application on the existing website. Then, in this new application, I want to read the session of old applications(something like login user id). Unfortunately, in each application, the session are completely separate(I mean the symfony session, something like $this->getUser()->getAttribute("userSession")).
I guess the symfony session is implemented using $_SESSION like:
$_SESSION = array("symfonyapp1" => array(....), "symfonyapp2" => array(....));
So I wrote $_SESSION["test"] = "testStr" in the old application and wrote var_dump($_SESSION["test"]);. The screen simply prints "null", so my guess is wrong.
Then I think maybe I can read the configuration of a certain application and then get the user of that application. So I wrote the following code in my new application:
require_once($_SERVER['DOCUMENT_ROOT'].'/../config/ProjectConfiguration.class.php');
$configuration = ProjectConfiguration::getApplicationConfiguration('frontend', 'prod', false);
$context = sfContext::createInstance($configuration);
var_dump($context->getUser()->getAttribute("userId"));
Unfortunately again, it prints "null".
I completely have no idea now. Any advice is greatly appreciated
Check session identifiers of your apps. Php's default session id is PHPSESSID and as far as I remember default session identifier for Symfony 1.4 apps is just symfony
You can change Symfony's session identifier by modyfing apps/YOUR_APP_NAME/config/factories.yml file, by setting:
all:
storage:
param:
session_name: PHPSESSID
By doing that your Symfony app will share the same session id as your old app and you will be able to read $_SESSION attributes in Symfony app