From 1be8d450407b3662e89541f21e36c2ac06a4270b Mon Sep 17 00:00:00 2001 From: Geoff Crew Date: Mon, 14 Dec 2015 17:03:36 -0500 Subject: [PATCH] add option to use server validated sessions --- onelogin-saml-sso/php/configuration.php | 19 +++++++- onelogin-saml-sso/php/functions.php | 58 +++++++++++++++++++++++-- 2 files changed, 72 insertions(+), 5 deletions(-) diff --git a/onelogin-saml-sso/php/configuration.php b/onelogin-saml-sso/php/configuration.php index fa83556..08cf73d 100644 --- a/onelogin-saml-sso/php/configuration.php +++ b/onelogin-saml-sso/php/configuration.php @@ -152,13 +152,17 @@ function onelogin_saml_configuration() { 'onelogin_saml_advanced_settings_want_message_signed' => __('Reject Unsigned Messages', 'onelogin-saml-sso'), 'onelogin_saml_advanced_settings_want_assertion_signed' => __('Reject Unsigned Assertions', 'onelogin-saml-sso'), 'onelogin_saml_advanced_settings_want_assertion_encrypted' => __('Reject Unencrypted Assertions', 'onelogin-saml-sso'), - 'onelogin_saml_advanced_settings_retrieve_parameters_from_server' => __('Retrieve Parameters From Server', 'onelogin-saml-sso') + 'onelogin_saml_advanced_settings_retrieve_parameters_from_server' => __('Retrieve Parameters From Server', 'onelogin-saml-sso'), + 'onelogin_saml_advanced_settings_use_server_sessions' => __('Use Server Sessions', 'onelogin-saml-sso'), ); foreach ($mapping_fields as $name => $description) { register_setting($option_group, $name); add_settings_field($name, $description, "plugin_setting_boolean_$name", $option_group, 'advanced_settings'); } + register_setting($option_group, 'onelogin_saml_advanced_settings_server_session_timeout'); + add_settings_field('onelogin_saml_advanced_settings_server_session_timeout', __('Server Session Timeout', 'onelogin-saml-sso'), "plugin_setting_string_onelogin_saml_advanced_settings_server_session_timeout", $option_group, 'advanced_settings'); + register_setting($option_group, 'onelogin_saml_advanced_nameidformat'); add_settings_field('onelogin_saml_advanced_nameidformat', __('NameIDFormat', 'onelogin-saml-sso'), "plugin_setting_select_onelogin_saml_advanced_nameidformat", $option_group, 'advanced_settings'); @@ -439,6 +443,19 @@ function plugin_setting_boolean_onelogin_saml_advanced_settings_retrieve_paramet '

'.__('Sometimes when the app is behind a firewall or proxy, the query parameters can be modified an this affects the signature validation process on HTTP-Redirectbinding. Active this when you noticed signature validation failures, the plugin will try to extract the original query parameters.', 'onelogin-saml-sso').'

'; } + function plugin_setting_boolean_onelogin_saml_advanced_settings_use_server_sessions() { + $value = get_option('onelogin_saml_advanced_settings_use_server_sessions', false); + echo ''. + '

'.__('Use server sessions to ensure a user may only have one active login at any time, and that their session is cleared on logout.', 'onelogin-saml-sso').'

'; + } + + function plugin_setting_string_onelogin_saml_advanced_settings_server_session_timeout() { + echo ''. + '

'.__('Timeout value in seconds at which point the user session becomes invalid. (Defaults to one year if unset.)', 'onelogin-saml-sso').'

'; + } + function plugin_setting_select_onelogin_saml_advanced_nameidformat() { $nameidformat_value = get_option('onelogin_saml_advanced_nameidformat'); $posible_nameidformat_values = array( diff --git a/onelogin-saml-sso/php/functions.php b/onelogin-saml-sso/php/functions.php index 1470cd0..b020bba 100644 --- a/onelogin-saml-sso/php/functions.php +++ b/onelogin-saml-sso/php/functions.php @@ -44,14 +44,35 @@ function saml_user_register() { } function saml_sso() { - if (is_user_logged_in()) { - return true; + $force_authentication = false; + $user_id = get_current_user_id(); + if ($user_id!==0) { + if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) { + if (isset($_COOKIE['saml_nameid']) && isset($_COOKIE['saml_sessionindex'])) { + $idp_suffix = '_' . get_option('onelogin_saml_idp_entityid'); + $session = get_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, true); + $nameid = get_user_meta($user_id, 'saml_nameid' . $idp_suffix, true); + $logintime = get_user_meta($user_id, 'saml_login_time' . $idp_suffix, true); + $timeout = (int)get_option('onelogin_saml_advanced_settings_server_session_timeout', 0); + $timeout = ($timeout == 0) ? YEAR_IN_SECONDS : $timeout; + if ($_COOKIE['saml_nameid']===$nameid && $_COOKIE['saml_sessionindex']===$session && time() - $logintime < $timeout ) { + return true; + } + $force_authentication = true; + } + } else { + return true; + } + } + if ( defined('DOING_AJAX') && DOING_AJAX) { + http_response_code(401); + exit(); } $auth = initialize_saml(); if (isset($_SERVER['REQUEST_URI'])) { - $auth->login($_SERVER['REQUEST_URI']); + $auth->login($_SERVER['REQUEST_URI'], [], $force_authentication); } else { - $auth->login(); + $auth->login(null, [], $force_authentication); } exit(); } @@ -288,6 +309,15 @@ function saml_acs() { } else if ($user_id) { wp_set_current_user($user_id); wp_set_auth_cookie($user_id); + if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) { + $idp_suffix = '_' . get_option('onelogin_saml_idp_entityid'); + delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix); + delete_user_meta($user_id, 'saml_nameid' . $idp_suffix); + delete_user_meta($user_id, 'saml_login_time' . $idp_suffix); + add_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, $auth->getSessionIndex()); + add_user_meta($user_id, 'saml_nameid' . $idp_suffix, $auth->getNameId()); + add_user_meta($user_id, 'saml_login_time' . $idp_suffix, time()); + } setcookie('saml_login', 1, time() + YEAR_IN_SECONDS, SITECOOKIEPATH ); #do_action('wp_login', $user_id); #wp_signon($user_id); @@ -319,10 +349,30 @@ function saml_sls() { $auth->processSLO(false, null, $retrieve_parameters_from_server); $errors = $auth->getErrors(); if (empty($errors)) { + $user_id = get_current_user_id(); wp_logout(); setcookie('saml_login', 0, time() - 3600, SITECOOKIEPATH ); setcookie('saml_nameid', null, time() - 3600, SITECOOKIEPATH ); setcookie('saml_sessionindex', null, time() - 3600, SITECOOKIEPATH ); + if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) { + $idp_suffix = '_' . get_option('onelogin_saml_idp_entityid'); + $logintime = get_user_meta($user_id, 'saml_login_time' . $idp_suffix, true); + $timeout = (int)get_option('onelogin_saml_advanced_settings_server_session_timeout', 0); + $timeout = ($timeout == 0) ? YEAR_IN_SECONDS : $timeout; + if (time() - $logintime >= $timeout ) { + delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix); + delete_user_meta($user_id, 'saml_nameid' . $idp_suffix); + delete_user_meta($user_id, 'saml_login_time' . $idp_suffix); + } elseif (isset($_COOKIE['saml_nameid']) && isset($_COOKIE['saml_sessionindex'])) { + $session = get_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, true); + $nameid = get_user_meta($user_id, 'saml_nameid' . $idp_suffix, true); + if ($_COOKIE['saml_nameid']===$nameid && $_COOKIE['saml_sessionindex']===$session) { + delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix); + delete_user_meta($user_id, 'saml_nameid' . $idp_suffix); + delete_user_meta($user_id, 'saml_login_time' . $idp_suffix); + } + } + } if (get_option('onelogin_saml_forcelogin') && get_option('onelogin_saml_customize_stay_in_wordpress_after_slo')) { wp_redirect(home_url().'/wp-login.php?loggedout=true');