Skip to content
Snippets Groups Projects
Commit 2db26fb5 authored by Andjelko Horvat's avatar Andjelko Horvat
Browse files

Add session check function (issue #568).

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3268 44740490-163a-0410-bde0-09ae8108e29a
parent ceab2397
No related branches found
No related tags found
No related merge requests found
...@@ -290,6 +290,14 @@ $config = array ( ...@@ -290,6 +290,14 @@ $config = array (
*/ */
'session.authtoken.cookiename' => 'SimpleSAMLAuthToken', 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
/**
* Custom function for session checking called on session init and loading.
* See docs/simplesamlphp-advancedfeatures.txt for function code example.
*
* Example:
* 'session.check_function' => array('sspmod_example_Util', 'checkSession'),
*/
/* /*
* Languages available, RTL languages, and what language is default * Languages available, RTL languages, and what language is default
*/ */
......
...@@ -171,6 +171,56 @@ There is also an additional fallback for the private key and the certificate. If ...@@ -171,6 +171,56 @@ There is also an additional fallback for the private key and the certificate. If
Session checking function
-------------------------
Optional session checking function, called on session init and loading, defined with 'session.check_function' in config.php.
Example code for the function with GeoIP country check:
public static function checkSession($session, $init = FALSE) {
$data_type = 'example:check_session';
$data_key = 'remote_addr';
$remote_addr = NULL;
if (!empty($_SERVER['REMOTE_ADDR'])) {
$remote_addr = (string)$_SERVER['REMOTE_ADDR'];
}
if ($init) {
$session->setData($data_type, $data_key, $remote_addr);
return;
}
if (!function_exists('geoip_country_code_by_name')) {
SimpleSAML_Logger::warning('geoip php module required.');
return TRUE;
}
$stored_remote_addr = $session->getData($data_type, $data_key);
if ($stored_remote_addr === NULL) {
SimpleSAML_Logger::warning('Stored data not found.');
return FALSE;
}
$country_a = geoip_country_code_by_name($remote_addr);
$country_b = geoip_country_code_by_name($stored_remote_addr);
if ($country_a === $country_b) {
if ($stored_remote_addr !== $remote_addr) {
$session->setData($data_type, $data_key, $remote_addr);
}
return TRUE;
}
return FALSE;
}
Support Support
------- -------
......
...@@ -169,6 +169,14 @@ class SimpleSAML_Session { ...@@ -169,6 +169,14 @@ class SimpleSAML_Session {
$this->dirty = TRUE; $this->dirty = TRUE;
$this->addShutdownFunction(); $this->addShutdownFunction();
/* Initialize data for session check function if defined */
$globalConfig = SimpleSAML_Configuration::getInstance();
$checkFunction = $globalConfig->getArray('session.check_function', NULL);
if (isset($checkFunction)) {
assert('is_callable($checkFunction)');
call_user_func($checkFunction, $this, TRUE);
}
} }
...@@ -1030,16 +1038,30 @@ class SimpleSAML_Session { ...@@ -1030,16 +1038,30 @@ class SimpleSAML_Session {
$session->sessionId = $sh->getCookieSessionId(); $session->sessionId = $sh->getCookieSessionId();
} }
if ($checkToken && $session->authToken !== NULL) { if ($checkToken) {
$globalConfig = SimpleSAML_Configuration::getInstance(); $globalConfig = SimpleSAML_Configuration::getInstance();
$authTokenCookieName = $globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken');
if (!isset($_COOKIE[$authTokenCookieName])) { if ($session->authToken !== NULL) {
SimpleSAML_Logger::warning('Missing AuthToken cookie.'); $authTokenCookieName = $globalConfig->getString('session.authtoken.cookiename', 'SimpleSAMLAuthToken');
return NULL; if (!isset($_COOKIE[$authTokenCookieName])) {
SimpleSAML_Logger::warning('Missing AuthToken cookie.');
return NULL;
}
if ($_COOKIE[$authTokenCookieName] !== $session->authToken) {
SimpleSAML_Logger::warning('Invalid AuthToken cookie.');
return NULL;
}
} }
if ($_COOKIE[$authTokenCookieName] !== $session->authToken) {
SimpleSAML_Logger::warning('Invalid AuthToken cookie.'); /* Run session check function if defined */
return NULL; $checkFunction = $globalConfig->getArray('session.check_function', NULL);
if (isset($checkFunction)) {
assert('is_callable($checkFunction)');
$check = call_user_func($checkFunction, $session);
if ($check !== TRUE) {
SimpleSAML_Logger::warning('Session did not pass check function.');
return NULL;
}
} }
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment