Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add option to use server validated sessions #14

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion onelogin-saml-sso/php/configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -156,13 +156,17 @@ function onelogin_saml_configuration() {
'onelogin_saml_advanced_settings_want_message_signed' => __('Reject Unsigned Messages', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_want_assertion_signed' => __('Reject Unsigned Assertions', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_want_assertion_encrypted' => __('Reject Unencrypted Assertions', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_retrieve_parameters_from_server' => __('Retrieve Parameters From Server', 'onelogin-saml-sso')
'onelogin_saml_advanced_settings_retrieve_parameters_from_server' => __('Retrieve Parameters From Server', 'onelogin-saml-sso'),
'onelogin_saml_advanced_settings_use_server_sessions' => __('Use Server Sessions', 'onelogin-saml-sso'),
);
foreach ($mapping_fields as $name => $description) {
register_setting($option_group, $name);
add_settings_field($name, $description, "plugin_setting_boolean_$name", $option_group, 'advanced_settings');
}

register_setting($option_group, 'onelogin_saml_advanced_settings_server_session_timeout');
add_settings_field('onelogin_saml_advanced_settings_server_session_timeout', __('Server Session Timeout', 'onelogin-saml-sso'), "plugin_setting_string_onelogin_saml_advanced_settings_server_session_timeout", $option_group, 'advanced_settings');

register_setting($option_group, 'onelogin_saml_advanced_nameidformat');
add_settings_field('onelogin_saml_advanced_nameidformat', __('NameIDFormat', 'onelogin-saml-sso'), "plugin_setting_select_onelogin_saml_advanced_nameidformat", $option_group, 'advanced_settings');

Expand Down Expand Up @@ -454,6 +458,19 @@ function plugin_setting_boolean_onelogin_saml_advanced_settings_retrieve_paramet
'<p class="description">'.__('Sometimes when the app is behind a firewall or proxy, the query parameters can be modified an this affects the signature validation process on HTTP-Redirectbinding. Active this when you noticed signature validation failures, the plugin will try to extract the original query parameters.', 'onelogin-saml-sso').'</p>';
}

function plugin_setting_boolean_onelogin_saml_advanced_settings_use_server_sessions() {
$value = get_option('onelogin_saml_advanced_settings_use_server_sessions', false);
echo '<input type="checkbox" name="onelogin_saml_advanced_settings_use_server_sessions" id="onelogin_saml_advanced_settings_use_server_sessions"
'.($value ? 'checked="checked"': '').'>'.
'<p class="description">'.__('Use server sessions to ensure a user may only have one active login at any time, and that their session is cleared on logout.', 'onelogin-saml-sso').'</p>';
}

function plugin_setting_string_onelogin_saml_advanced_settings_server_session_timeout() {
echo '<input type="text" name="onelogin_saml_advanced_settings_server_session_timeout" id="onelogin_saml_advanced_settings_server_session_timeout"
value= "'.get_option('onelogin_saml_advanced_settings_server_session_timeout').'" size="30">'.
'<p class="description">'.__('Timeout value in seconds at which point the user session becomes invalid. (Defaults to one year if unset.)', 'onelogin-saml-sso').'</p>';
}

function plugin_setting_select_onelogin_saml_advanced_nameidformat() {
$nameidformat_value = get_option('onelogin_saml_advanced_nameidformat');
$posible_nameidformat_values = array(
Expand Down
58 changes: 54 additions & 4 deletions onelogin-saml-sso/php/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,14 +56,35 @@ function saml_user_register() {
}

function saml_sso() {
if (is_user_logged_in()) {
return true;
$force_authentication = false;
$user_id = get_current_user_id();
if ($user_id!==0) {
if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) {
if (isset($_COOKIE['saml_nameid']) && isset($_COOKIE['saml_sessionindex'])) {
$idp_suffix = '_' . get_option('onelogin_saml_idp_entityid');
$session = get_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, true);
$nameid = get_user_meta($user_id, 'saml_nameid' . $idp_suffix, true);
$logintime = get_user_meta($user_id, 'saml_login_time' . $idp_suffix, true);
$timeout = (int)get_option('onelogin_saml_advanced_settings_server_session_timeout', 0);
$timeout = ($timeout == 0) ? YEAR_IN_SECONDS : $timeout;
if ($_COOKIE['saml_nameid']===$nameid && $_COOKIE['saml_sessionindex']===$session && time() - $logintime < $timeout ) {
return true;
}
$force_authentication = true;
}
} else {
return true;
}
}
if ( defined('DOING_AJAX') && DOING_AJAX) {
http_response_code(401);
exit();
}
$auth = initialize_saml();
if (isset($_SERVER['REQUEST_URI']) && !isset($_GET['saml_sso'])) {
$auth->login($_SERVER['REQUEST_URI']);
$auth->login($_SERVER['REQUEST_URI'], [], $force_authentication);
} else {
$auth->login();
$auth->login(null, [], $force_authentication);
}
exit();
}
Expand Down Expand Up @@ -263,6 +284,15 @@ function saml_acs() {
} else if ($user_id) {
wp_set_current_user($user_id);
wp_set_auth_cookie($user_id);
if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) {
$idp_suffix = '_' . get_option('onelogin_saml_idp_entityid');
delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix);
delete_user_meta($user_id, 'saml_nameid' . $idp_suffix);
delete_user_meta($user_id, 'saml_login_time' . $idp_suffix);
add_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, $auth->getSessionIndex());
add_user_meta($user_id, 'saml_nameid' . $idp_suffix, $auth->getNameId());
add_user_meta($user_id, 'saml_login_time' . $idp_suffix, time());
}
setcookie('saml_login', 1, time() + YEAR_IN_SECONDS, SITECOOKIEPATH );
#do_action('wp_login', $user_id);
#wp_signon($user_id);
Expand Down Expand Up @@ -299,10 +329,30 @@ function saml_sls() {
}
$errors = $auth->getErrors();
if (empty($errors)) {
$user_id = get_current_user_id();
wp_logout();
setcookie('saml_login', 0, time() - 3600, SITECOOKIEPATH );
setcookie('saml_nameid', null, time() - 3600, SITECOOKIEPATH );
setcookie('saml_sessionindex', null, time() - 3600, SITECOOKIEPATH );
if (get_option('onelogin_saml_advanced_settings_use_server_sessions')) {
$idp_suffix = '_' . get_option('onelogin_saml_idp_entityid');
$logintime = get_user_meta($user_id, 'saml_login_time' . $idp_suffix, true);
$timeout = (int)get_option('onelogin_saml_advanced_settings_server_session_timeout', 0);
$timeout = ($timeout == 0) ? YEAR_IN_SECONDS : $timeout;
if (time() - $logintime >= $timeout ) {
delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix);
delete_user_meta($user_id, 'saml_nameid' . $idp_suffix);
delete_user_meta($user_id, 'saml_login_time' . $idp_suffix);
} elseif (isset($_COOKIE['saml_nameid']) && isset($_COOKIE['saml_sessionindex'])) {
$session = get_user_meta($user_id, 'saml_sessionindex' . $idp_suffix, true);
$nameid = get_user_meta($user_id, 'saml_nameid' . $idp_suffix, true);
if ($_COOKIE['saml_nameid']===$nameid && $_COOKIE['saml_sessionindex']===$session) {
delete_user_meta($user_id, 'saml_sessionindex' . $idp_suffix);
delete_user_meta($user_id, 'saml_nameid' . $idp_suffix);
delete_user_meta($user_id, 'saml_login_time' . $idp_suffix);
}
}
}

if (get_option('onelogin_saml_forcelogin') && get_option('onelogin_saml_customize_stay_in_wordpress_after_slo')) {
wp_redirect(home_url().'/wp-login.php?loggedout=true');
Expand Down