diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 369659520e505189e9f04c8ca3f62ac3e4ab6458..3f2af27c8df5f93ee7939cbe23582d1d7d660d51 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -1,166 +1,298 @@
<?php
-
/**
* The Session class holds information about a user session, and everything attached to it.
*
* The session will have a duration and validity, and also cache information about the different
- * federation protocols, as Shibboleth and SAML 2.0. On the IdP side the Session class holds
+ * federation protocols, as Shibboleth and SAML 2.0. On the IdP side the Session class holds
* information about all the currently logged in SPs. This is used when the user initiates a
* Single-Log-Out.
*
* @author Andreas Ă…kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
- * @package simpleSAMLphp
+ * @package SimpleSAMLphp
*/
-class SimpleSAML_Session {
-
- /**
- * This is a timeout value for setData, which indicates that the data
- * should never be deleted, i.e. lasts the whole session lifetime.
- */
- const DATA_TIMEOUT_SESSION_END = 'sessionEndTimeout';
-
-
- /**
- * The list of loaded session objects.
- *
- * This is an associative array indexed with the session id.
- *
- * @var array
- */
- private static $sessions = array();
-
-
- /**
- * This variable holds the instance of the session - Singleton approach.
- */
- private static $instance = null;
-
-
- /**
- * The session ID of this session.
- *
- * @var string|NULL
- */
- private $sessionId;
-
-
- /**
- * Transient session flag.
- *
- * @var boolean|FALSE
- */
- private $transient = FALSE;
-
-
- /**
- * The track id is a new random unique identifier that is generated for each session.
- * This is used in the debug logs and error messages to easily track more information
- * about what went wrong.
- *
- * @var int
- */
- private $trackid = 0;
-
-
- private $rememberMeExpire = null;
-
-
- /**
- * Marks a session as modified, and therefore needs to be saved before destroying
- * this object.
- *
- * @var bool
- */
+class SimpleSAML_Session
+{
+
+ /**
+ * This is a timeout value for setData, which indicates that the data
+ * should never be deleted, i.e. lasts the whole session lifetime.
+ */
+ const DATA_TIMEOUT_SESSION_END = 'sessionEndTimeout';
+
+
+ /**
+ * The list of loaded session objects.
+ *
+ * This is an associative array indexed with the session id.
+ *
+ * @var array
+ */
+ private static $sessions = array();
+
+
+ /**
+ * This variable holds the instance of the session - Singleton approach.
+ */
+ private static $instance = null;
+
+
+ /**
+ * The session ID of this session.
+ *
+ * @var string|null
+ */
+ private $sessionId;
+
+
+ /**
+ * Transient session flag.
+ *
+ * @var boolean|false
+ */
+ private $transient = false;
+
+
+ /**
+ * The track id is a new random unique identifier that is generated for each session.
+ * This is used in the debug logs and error messages to easily track more information
+ * about what went wrong.
+ *
+ * @var int
+ */
+ private $trackid = 0;
+
+
+ private $rememberMeExpire = null;
+
+
+ /**
+ * Marks a session as modified, and therefore needs to be saved before destroying
+ * this object.
+ *
+ * @var bool
+ */
private $dirty = false;
- /**
- * This is an array of objects which will expire automatically after a set time. It is used
- * where one needs to store some information - for example a logout request, but doesn't
- * want it to be stored forever.
- *
- * The data store contains three levels of nested associative arrays. The first is the data type, the
- * second is the identifier, and the third contains the expire time of the data and the data itself.
+ /**
+ * This is an array of objects which will expire automatically after a set time. It is used
+ * where one needs to store some information - for example a logout request, but doesn't
+ * want it to be stored forever.
+ *
+ * The data store contains three levels of nested associative arrays. The first is the data type, the
+ * second is the identifier, and the third contains the expire time of the data and the data itself.
*
* @var array
- */
- private $dataStore = null;
-
-
- /**
- * The list of IdP-SP associations.
- *
- * This is an associative array with the IdP id as the key, and the list of
- * associations as the value.
- *
- * @var array
- */
- private $associations = array();
-
-
- /**
- * The authentication token.
- *
- * This token is used to prevent session fixation attacks.
- *
- * @var string|NULL
- */
- private $authToken;
-
-
- /**
- * Authentication data.
- *
- * This is an array with authentication data for the various authsources.
- *
- * @var array|NULL Associative array of associative arrays.
- */
- private $authData;
-
-
- /**
- * Private constructor that restricts instantiation to getInstance().
- *
- * @param boolean $transient Whether to create a transient session or not.
- */
- private function __construct($transient = FALSE) {
-
- $this->authData = array();
-
- if ($transient) {
- $this->trackid = 'XXXXXXXXXX';
- $this->transient = TRUE;
- return;
- }
-
- $sh = SimpleSAML_SessionHandler::getSessionHandler();
- $this->sessionId = $sh->newSessionId();
-
- $this->trackid = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(5));
-
- $this->dirty = TRUE;
-
- /* Initialize data for session check function if defined */
- $globalConfig = SimpleSAML_Configuration::getInstance();
- $checkFunction = $globalConfig->getArray('session.check_function', NULL);
- if (isset($checkFunction)) {
- assert('is_callable($checkFunction)');
- call_user_func($checkFunction, $this, TRUE);
- }
- }
-
-
- /**
- * Destructor for this class. It will save the session to the session handler
- * in case the session has been marked as dirty. Do nothing otherwise.
- */
- public function __destruct() {
- if(!$this->dirty) {
- /* Session hasn't changed - don't bother saving it. */
+ */
+ private $dataStore = null;
+
+
+ /**
+ * The list of IdP-SP associations.
+ *
+ * This is an associative array with the IdP id as the key, and the list of
+ * associations as the value.
+ *
+ * @var array
+ */
+ private $associations = array();
+
+
+ /**
+ * The authentication token.
+ *
+ * This token is used to prevent session fixation attacks.
+ *
+ * @var string|null
+ */
+ private $authToken;
+
+
+ /**
+ * Authentication data.
+ *
+ * This is an array with authentication data for the various authsources.
+ *
+ * @var array|null Associative array of associative arrays.
+ */
+ private $authData;
+
+
+ /**
+ * Private constructor that restricts instantiation to either getSessionFromRequest() for the current session or
+ * getSession() for a specific one.
+ *
+ * @param boolean $transient Whether to create a transient session or not.
+ */
+ private function __construct($transient = false)
+ {
+ $this->authData = array();
+
+ if ($transient) {
+ $this->trackid = 'XXXXXXXXXX';
+ $this->transient = true;
return;
}
- $this->dirty = FALSE;
+ $sh = SimpleSAML_SessionHandler::getSessionHandler();
+ $this->sessionId = $sh->newSessionId();
+
+ $this->trackid = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(5));
+
+ $this->dirty = true;
+
+ // initialize data for session check function if defined
+ $globalConfig = SimpleSAML_Configuration::getInstance();
+ $checkFunction = $globalConfig->getArray('session.check_function', null);
+ if (isset($checkFunction)) {
+ assert('is_callable($checkFunction)');
+ call_user_func($checkFunction, $this, true);
+ }
+ }
+
+ /**
+ * Retrieves the current session. Will create a new session if there isn't a session.
+ *
+ * @return SimpleSAML_Session The current session.
+ * @throws Exception When session couldn't be initialized and
+ * the session fallback is disabled by configuration.
+ */
+ public static function getSessionFromRequest()
+ {
+ // check if we already have initialized the session
+ if (isset(self::$instance)) {
+ return self::$instance;
+ }
+
+ // check if we have stored a session stored with the session handler
+ try {
+ self::$instance = self::getSession();
+ } catch (Exception $e) {
+ // for some reason, we were unable to initialize this session, use a transient session instead
+ self::useTransientSession();
+
+ if ($e instanceof SimpleSAML_Error_Exception) {
+ SimpleSAML_Logger::error('Error loading session:');
+ $e->logError();
+ } else {
+ SimpleSAML_Logger::error('Error loading session: '.$e->getMessage());
+ }
+
+ throw $e;
+ }
+
+ if (self::$instance !== null) {
+ return self::$instance;
+ }
+
+ // create a new session
+ self::$instance = new SimpleSAML_Session();
+ return self::$instance;
+ }
+
+ /**
+ * Load a session from the session handler.
+ *
+ * @param string|null $sessionId The session we should load, or null to load the current session.
+ *
+ * @return The session which is stored in the session handler, or null if the session wasn't found.
+ */
+ public static function getSession($sessionId = null)
+ {
+ assert('is_string($sessionId) || is_null($sessionId)');
+
+ $sh = SimpleSAML_SessionHandler::getSessionHandler();
+
+ if ($sessionId === null) {
+ $checkToken = true;
+ $sessionId = $sh->getCookieSessionId();
+ } else {
+ $checkToken = false;
+ }
+
+ if (array_key_exists($sessionId, self::$sessions)) {
+ return self::$sessions[$sessionId];
+ }
+
+ $session = $sh->loadSession($sessionId);
+ if ($session === null) {
+ return null;
+ }
+
+ assert('$session instanceof self');
+
+ if ($checkToken) {
+ $globalConfig = SimpleSAML_Configuration::getInstance();
+
+ if ($session->authToken !== null) {
+ $authTokenCookieName = $globalConfig->getString('session.authtoken.cookiename',
+ 'SimpleSAMLAuthToken');
+ if (!isset($_COOKIE[$authTokenCookieName])) {
+ SimpleSAML_Logger::warning('Missing AuthToken cookie.');
+ return null;
+ }
+ if ($_COOKIE[$authTokenCookieName] !== $session->authToken) {
+ SimpleSAML_Logger::warning('Invalid AuthToken cookie.');
+ return null;
+ }
+ }
+
+ // run session check function if defined
+ $checkFunction = $globalConfig->getArray('session.check_function', null);
+ if (isset($checkFunction)) {
+ assert('is_callable($checkFunction)');
+ $check = call_user_func($checkFunction, $session);
+ if ($check !== true) {
+ SimpleSAML_Logger::warning('Session did not pass check function.');
+ return null;
+ }
+ }
+ }
+
+ self::$sessions[$sessionId] = $session;
+
+ return $session;
+ }
+
+ /**
+ * Use a transient session.
+ *
+ * Create a session that should not be saved at the end of the request.
+ * Subsequent calls to getInstance() will return this transient session.
+ */
+ public static function useTransientSession()
+ {
+ if (isset(self::$instance)) {
+ // we already have a session, don't bother with a transient session
+ return;
+ }
+
+ self::$instance = new SimpleSAML_Session(true);
+ }
+
+ /**
+ * Create a new session and cache it.
+ *
+ * @param string $sessionId The new session we should create.
+ */
+ public static function createSession($sessionId)
+ {
+ assert('is_string($sessionId)');
+ self::$sessions[$sessionId] = null;
+ }
+
+ /**
+ * Destructor for this class. It will save the session to the session handler
+ * in case the session has been marked as dirty. Do nothing otherwise.
+ */
+ public function __destruct()
+ {
+ if (!$this->dirty) {
+ // session hasn't changed - don't bother saving it
+ return;
+ }
+
+ $this->dirty = false;
$sh = SimpleSAML_SessionHandler::getSessionHandler();
@@ -175,747 +307,621 @@ class SimpleSAML_Session {
}
}
+ /**
+ * Retrieve the session ID of this session.
+ *
+ * @return string|null The session ID, or null if this is a transient session.
+ */
+ public function getSessionId()
+ {
+ return $this->sessionId;
+ }
+
+ /**
+ * Retrieve if session is transient.
+ *
+ * @return boolean The session transient flag.
+ */
+ public function isTransient()
+ {
+ return $this->transient;
+ }
/**
- * Retrieves the current session. Will create a new session if there isn't a session.
- *
- * @return SimpleSAML_Session The current session.
- * @throws Exception When session couldn't be initialized and
- * the session fallback is disabled by configuration.
- */
- public static function getSessionFromRequest() {
-
- /* Check if we already have initialized the session. */
- if (isset(self::$instance)) {
- return self::$instance;
- }
-
-
- /* Check if we have stored a session stored with the session
- * handler.
- */
- try {
- self::$instance = self::getSession();
- } catch (Exception $e) {
- /* For some reason, we were unable to initialize this session. Use a transient session instead. */
- self::useTransientSession();
-
- if ($e instanceof SimpleSAML_Error_Exception) {
- SimpleSAML_Logger::error('Error loading session:');
- $e->logError();
- } else {
- SimpleSAML_Logger::error('Error loading session: ' . $e->getMessage());
- }
-
- throw $e;
- }
-
- if(self::$instance !== NULL) {
- return self::$instance;
- }
-
-
- /* Create a new session. */
- self::$instance = new SimpleSAML_Session();
- return self::$instance;
- }
-
-
- /**
- * Use a transient session.
- *
- * Create a session that should not be saved at the end of the request.
- * Subsequent calls to getInstance() will return this transient session.
- */
- public static function useTransientSession() {
-
- if (isset(self::$instance)) {
- /* We already have a session. Don't bother with a transient session. */
- return;
- }
-
- self::$instance = new SimpleSAML_Session(TRUE);
- }
-
-
- /**
- * Retrieve the session ID of this session.
- *
- * @return string|NULL The session ID, or NULL if this is a transient session.
- */
- public function getSessionId() {
-
- return $this->sessionId;
- }
-
-
- /**
- * Retrieve if session is transient.
- *
- * @return boolean The session transient flag.
- */
- public function isTransient() {
- return $this->transient;
- }
-
-
- /**
- * Get a unique ID that will be permanent for this session.
- * Used for debugging and tracing log files related to a session.
- *
- * @return string The unique ID.
- */
- public function getTrackID() {
- return $this->trackid;
- }
-
-
- /**
- * Set remember me expire time.
- *
- * @param int $expire Unix timestamp when remember me session cookies expire.
- */
- public function setRememberMeExpire($expire = NULL) {
- assert('is_int($expire) || is_null($expire)');
-
- if ($expire === NULL) {
- $globalConfig = SimpleSAML_Configuration::getInstance();
- $expire = time() + $globalConfig->getInteger('session.rememberme.lifetime', 14*86400);
- }
- $this->rememberMeExpire = $expire;
-
- $cookieParams = array('expire' => $this->rememberMeExpire);
- $this->updateSessionCookies($cookieParams);
- }
-
-
- /**
- * Get remember me expire time.
- *
- * @return integer|NULL The remember me expire time.
- */
- public function getRememberMeExpire() {
- return $this->rememberMeExpire;
- }
-
-
- /**
- * Update session cookies.
- */
- public function updateSessionCookies($params = NULL) {
- $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
-
- if ($this->sessionId !== NULL) {
- $sessionHandler->setCookie($sessionHandler->getSessionCookieName(), $this->sessionId, $params);
- }
-
- if ($this->authToken !== NULL) {
- $globalConfig = SimpleSAML_Configuration::getInstance();
- $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename',
- 'SimpleSAMLAuthToken'), $this->authToken, $params);
- }
- }
+ * Get a unique ID that will be permanent for this session.
+ * Used for debugging and tracing log files related to a session.
+ *
+ * @return string The unique ID.
+ */
+ public function getTrackID()
+ {
+ return $this->trackid;
+ }
+
+ /**
+ * Get remember me expire time.
+ *
+ * @return integer|null The remember me expire time.
+ */
+ public function getRememberMeExpire()
+ {
+ return $this->rememberMeExpire;
+ }
+ /**
+ * Set remember me expire time.
+ *
+ * @param int $expire Unix timestamp when remember me session cookies expire.
+ */
+ public function setRememberMeExpire($expire = null)
+ {
+ assert('is_int($expire) || is_null($expire)');
+
+ if ($expire === null) {
+ $globalConfig = SimpleSAML_Configuration::getInstance();
+ $expire = time() + $globalConfig->getInteger('session.rememberme.lifetime', 14 * 86400);
+ }
+ $this->rememberMeExpire = $expire;
- /**
- * Marks the user as logged in with the specified authority.
- *
- * If the user already has logged in, the user will be logged out first.
- *
- * @param string $authority The authority the user logged in with.
- * @param array|NULL $data The authentication data for this authority.
- */
- public function doLogin($authority, array $data = NULL) {
- assert('is_string($authority)');
- assert('is_array($data) || is_null($data)');
+ $cookieParams = array('expire' => $this->rememberMeExpire);
+ $this->updateSessionCookies($cookieParams);
+ }
- SimpleSAML_Logger::debug('Session: doLogin("' . $authority . '")');
+ /**
+ * Marks the user as logged in with the specified authority.
+ *
+ * If the user already has logged in, the user will be logged out first.
+ *
+ * @param string $authority The authority the user logged in with.
+ * @param array|null $data The authentication data for this authority.
+ */
+ public function doLogin($authority, array $data = null)
+ {
+ assert('is_string($authority)');
+ assert('is_array($data) || is_null($data)');
- $this->dirty = TRUE;
+ SimpleSAML_Logger::debug('Session: doLogin("'.$authority.'")');
- if (isset($this->authData[$authority])) {
- /* We are already logged in. Log the user out first. */
- $this->doLogout($authority);
- }
+ $this->dirty = true;
+ if (isset($this->authData[$authority])) {
+ // we are already logged in, log the user out first
+ $this->doLogout($authority);
+ }
- if ($data === NULL) {
- $data = array();
- }
+ if ($data === null) {
+ $data = array();
+ }
- $data['Authority'] = $authority;
+ $data['Authority'] = $authority;
- $globalConfig = SimpleSAML_Configuration::getInstance();
- if (!isset($data['AuthnInstant'])) {
- $data['AuthnInstant'] = time();
- }
+ $globalConfig = SimpleSAML_Configuration::getInstance();
+ if (!isset($data['AuthnInstant'])) {
+ $data['AuthnInstant'] = time();
+ }
- $maxSessionExpire = time() + $globalConfig->getInteger('session.duration', 8*60*60);
- if (!isset($data['Expire']) || $data['Expire'] > $maxSessionExpire) {
- /* Unset, or beyond our session lifetime. Clamp it to our maximum session lifetime. */
- $data['Expire'] = $maxSessionExpire;
- }
+ $maxSessionExpire = time() + $globalConfig->getInteger('session.duration', 8 * 60 * 60);
+ if (!isset($data['Expire']) || $data['Expire'] > $maxSessionExpire) {
+ // unset, or beyond our session lifetime. Clamp it to our maximum session lifetime
+ $data['Expire'] = $maxSessionExpire;
+ }
- $this->authData[$authority] = $data;
+ $this->authData[$authority] = $data;
- $this->authToken = SimpleSAML_Utilities::generateID();
- $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+ $this->authToken = SimpleSAML_Utilities::generateID();
+ $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
- if (!$this->transient && (!empty($data['RememberMe']) || $this->rememberMeExpire) &&
- $globalConfig->getBoolean('session.rememberme.enable', FALSE)) {
+ if (!$this->transient && (!empty($data['RememberMe']) || $this->rememberMeExpire) &&
+ $globalConfig->getBoolean('session.rememberme.enable', false)
+ ) {
$this->setRememberMeExpire();
- } else {
- $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename',
+ } else {
+ $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename',
'SimpleSAMLAuthToken'), $this->authToken);
- }
- }
-
-
- /**
- * Marks the user as logged out.
- *
- * This function will call any registered logout handlers before marking the user as logged out.
- *
- * @param string $authority The authentication source we are logging out of.
- */
- public function doLogout($authority) {
-
- SimpleSAML_Logger::debug('Session: doLogout(' . var_export($authority, TRUE) . ')');
-
- if (!isset($this->authData[$authority])) {
- SimpleSAML_Logger::debug('Session: Already logged out of ' . $authority . '.');
- return;
- }
-
- $this->dirty = TRUE;
-
- $this->callLogoutHandlers($authority);
- unset($this->authData[$authority]);
-
- if (!$this->isValid($authority) && $this->rememberMeExpire) {
- $this->rememberMeExpire = NULL;
- $this->updateSessionCookies();
- }
- }
-
-
- /**
- * Set the lifetime for authentication source.
- *
- * @param string $authority The authentication source we are setting expire time for.
- * @param int $expire The number of seconds authentication source is valid.
- */
- public function setAuthorityExpire($authority, $expire = NULL) {
- assert('isset($this->authData[$authority])');
- assert('is_int($expire) || is_null($expire)');
-
- $this->dirty = true;
-
- if ($expire === NULL) {
- $globalConfig = SimpleSAML_Configuration::getInstance();
- $expire = time() + $globalConfig->getInteger('session.duration', 8*60*60);
- }
-
- $this->authData[$authority]['Expire'] = $expire;
- }
-
-
- /**
- * Is the session representing an authenticated user, and is the session still alive.
- * This function will return false after the user has timed out.
- *
- * @param string $authority The authentication source that the user should be authenticated with.
- * @return TRUE if the user has a valid session, FALSE if not.
- */
- public function isValid($authority) {
- assert('is_string($authority)');
-
- if (!isset($this->authData[$authority])) {
- SimpleSAML_Logger::debug('Session: '. var_export($authority, TRUE) .
+ }
+ }
+
+ /**
+ * Marks the user as logged out.
+ *
+ * This function will call any registered logout handlers before marking the user as logged out.
+ *
+ * @param string $authority The authentication source we are logging out of.
+ */
+ public function doLogout($authority)
+ {
+ SimpleSAML_Logger::debug('Session: doLogout('.var_export($authority, true).')');
+
+ if (!isset($this->authData[$authority])) {
+ SimpleSAML_Logger::debug('Session: Already logged out of '.$authority.'.');
+ return;
+ }
+
+ $this->dirty = true;
+
+ $this->callLogoutHandlers($authority);
+ unset($this->authData[$authority]);
+
+ if (!$this->isValid($authority) && $this->rememberMeExpire) {
+ $this->rememberMeExpire = null;
+ $this->updateSessionCookies();
+ }
+ }
+
+ /**
+ * This function calls all registered logout handlers.
+ *
+ * @param string $authority The authentication source we are logging out from.
+ *
+ * @throws Exception If the handler is not a valid function or method.
+ */
+ private function callLogoutHandlers($authority)
+ {
+ assert('is_string($authority)');
+ assert('isset($this->authData[$authority])');
+
+ if (empty($this->authData[$authority]['LogoutHandlers'])) {
+ return;
+ }
+ foreach ($this->authData[$authority]['LogoutHandlers'] as $handler) {
+
+ // verify that the logout handler is a valid function
+ if (!is_callable($handler)) {
+ $classname = $handler[0];
+ $functionname = $handler[1];
+
+ throw new Exception('Logout handler is not a vaild function: '.$classname.'::'.
+ $functionname);
+ }
+
+ // call the logout handler
+ call_user_func($handler);
+ }
+
+ // we require the logout handlers to register themselves again if they want to be called later
+ unset($this->authData[$authority]['LogoutHandlers']);
+ }
+
+ /**
+ * Is the session representing an authenticated user, and is the session still alive.
+ * This function will return false after the user has timed out.
+ *
+ * @param string $authority The authentication source that the user should be authenticated with.
+ *
+ * @return true if the user has a valid session, false if not.
+ */
+ public function isValid($authority)
+ {
+ assert('is_string($authority)');
+
+ if (!isset($this->authData[$authority])) {
+ SimpleSAML_Logger::debug('Session: '.var_export($authority, true).
' not valid because we are not authenticated.');
- return FALSE;
- }
+ return false;
+ }
+
+ if ($this->authData[$authority]['Expire'] <= time()) {
+ SimpleSAML_Logger::debug('Session: '.var_export($authority, true).' not valid because it is expired.');
+ return false;
+ }
+
+ SimpleSAML_Logger::debug('Session: Valid session found with '.var_export($authority, true).'.');
+
+ return true;
+ }
+
+ /**
+ * Update session cookies.
+ *
+ * @param array The parameters for the cookies.
+ */
+ public function updateSessionCookies($params = null)
+ {
+ $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+
+ if ($this->sessionId !== null) {
+ $sessionHandler->setCookie($sessionHandler->getSessionCookieName(), $this->sessionId, $params);
+ }
+
+ if ($this->authToken !== null) {
+ $globalConfig = SimpleSAML_Configuration::getInstance();
+ $sessionHandler->setCookie($globalConfig->getString('session.authtoken.cookiename',
+ 'SimpleSAMLAuthToken'), $this->authToken, $params);
+ }
+ }
+
+ /**
+ * Set the lifetime for authentication source.
+ *
+ * @param string $authority The authentication source we are setting expire time for.
+ * @param int $expire The number of seconds authentication source is valid.
+ */
+ public function setAuthorityExpire($authority, $expire = null)
+ {
+ assert('isset($this->authData[$authority])');
+ assert('is_int($expire) || is_null($expire)');
+
+ $this->dirty = true;
+
+ if ($expire === null) {
+ $globalConfig = SimpleSAML_Configuration::getInstance();
+ $expire = time() + $globalConfig->getInteger('session.duration', 8 * 60 * 60);
+ }
+
+ $this->authData[$authority]['Expire'] = $expire;
+ }
- if ($this->authData[$authority]['Expire'] <= time()) {
- SimpleSAML_Logger::debug('Session: ' . var_export($authority, TRUE) .' not valid because it is expired.');
- return FALSE;
- }
-
- SimpleSAML_Logger::debug('Session: Valid session found with ' . var_export($authority, TRUE) . '.');
-
- return TRUE;
- }
-
-
- /**
- * This function registers a logout handler.
- *
- * @param string $authority The authority for which register the handler.
- * @param string $classname The class which contains the logout handler.
- * @param string $functionname The logout handler function.
- * @throws Exception If the handler is not a valid function or method.
- */
- public function registerLogoutHandler($authority, $classname, $functionname) {
- assert('isset($this->authData[$authority])');
-
- $logout_handler = array($classname, $functionname);
-
- if(!is_callable($logout_handler)) {
- throw new Exception('Logout handler is not a vaild function: ' . $classname . '::' .
- $functionname);
- }
-
-
- $this->authData[$authority]['LogoutHandlers'][] = $logout_handler;
- $this->dirty = TRUE;
- }
-
-
- /**
- * This function calls all registered logout handlers.
- *
- * @param string $authority The authentication source we are logging out from.
- * @throws Exception If the handler is not a valid function or method.
- */
- private function callLogoutHandlers($authority) {
- assert('is_string($authority)');
- assert('isset($this->authData[$authority])');
-
- if (empty($this->authData[$authority]['LogoutHandlers'])) {
- return;
- }
- foreach($this->authData[$authority]['LogoutHandlers'] as $handler) {
-
- /* Verify that the logout handler is a valid function. */
- if(!is_callable($handler)) {
- $classname = $handler[0];
- $functionname = $handler[1];
-
- throw new Exception('Logout handler is not a vaild function: ' . $classname . '::' .
- $functionname);
- }
-
- /* Call the logout handler. */
- call_user_func($handler);
-
- }
-
- /* We require the logout handlers to register themselves again if they want to be called later. */
- unset($this->authData[$authority]['LogoutHandlers']);
- }
-
-
- /**
- * This function removes expired data from the data store.
- *
- * Note that this function doesn't mark the session object as dirty. This means that
- * if the only change to the session object is that some data has expired, it will not be
- * written back to the session store.
- */
- private function expireData() {
-
- if(!is_array($this->dataStore)) {
- return;
- }
-
- $ct = time();
-
- foreach($this->dataStore as &$typedData) {
- foreach($typedData as $id => $info) {
- if ($info['expires'] === self::DATA_TIMEOUT_SESSION_END) {
- /* This data never expires. */
- continue;
- }
-
- if($ct > $info['expires']) {
- unset($typedData[$id]);
- }
- }
- }
- }
-
-
- /**
- * Delete data from the data store.
- *
- * This function immediately deletes the data with the given type and id from the data store.
- *
- * @param string $type The type of the data.
- * @param string $id The identifier of the data.
- */
- public function deleteData($type, $id) {
- assert('is_string($type)');
- assert('is_string($id)');
-
- if (!is_array($this->dataStore)) {
- return;
- }
-
- if(!array_key_exists($type, $this->dataStore)) {
- return;
- }
-
- unset($this->dataStore[$type][$id]);
- $this->dirty = TRUE;
- }
-
-
- /**
- * This function stores data in the data store.
- *
- * The timeout value can be SimpleSAML_Session::DATA_TIMEOUT_SESSION_END, which indicates
- * that the data should never be deleted.
- *
- * @param string $type The type of the data. This is checked when retrieving data from the store.
- * @param string $id The identifier of the data.
- * @param mixed $data The data.
- * @param int|NULL $timeout The number of seconds this data should be stored after its last access.
- * This parameter is optional. The default value is set in 'session.datastore.timeout',
- * and the default is 4 hours.
+ /**
+ * This function registers a logout handler.
+ *
+ * @param string $authority The authority for which register the handler.
+ * @param string $classname The class which contains the logout handler.
+ * @param string $functionname The logout handler function.
+ *
+ * @throws Exception If the handler is not a valid function or method.
+ */
+ public function registerLogoutHandler($authority, $classname, $functionname)
+ {
+ assert('isset($this->authData[$authority])');
+
+ $logout_handler = array($classname, $functionname);
+
+ if (!is_callable($logout_handler)) {
+ throw new Exception('Logout handler is not a vaild function: '.$classname.'::'.
+ $functionname);
+ }
+
+ $this->authData[$authority]['LogoutHandlers'][] = $logout_handler;
+ $this->dirty = true;
+ }
+
+ /**
+ * Delete data from the data store.
+ *
+ * This function immediately deletes the data with the given type and id from the data store.
+ *
+ * @param string $type The type of the data.
+ * @param string $id The identifier of the data.
+ */
+ public function deleteData($type, $id)
+ {
+ assert('is_string($type)');
+ assert('is_string($id)');
+
+ if (!is_array($this->dataStore)) {
+ return;
+ }
+
+ if (!array_key_exists($type, $this->dataStore)) {
+ return;
+ }
+
+ unset($this->dataStore[$type][$id]);
+ $this->dirty = true;
+ }
+
+ /**
+ * This function stores data in the data store.
+ *
+ * The timeout value can be SimpleSAML_Session::DATA_TIMEOUT_SESSION_END, which indicates
+ * that the data should never be deleted.
+ *
+ * @param string $type The type of the data. This is checked when retrieving data from the store.
+ * @param string $id The identifier of the data.
+ * @param mixed $data The data.
+ * @param int|null $timeout The number of seconds this data should be stored after its last access.
+ * This parameter is optional. The default value is set in 'session.datastore.timeout',
+ * and the default is 4 hours.
+ *
* @throws Exception If the data couldn't be stored.
*
- */
- public function setData($type, $id, $data, $timeout = NULL) {
- assert('is_string($type)');
- assert('is_string($id)');
- assert('is_int($timeout) || is_null($timeout) || $timeout === self::DATA_TIMEOUT_SESSION_END');
-
-
- /* Clean out old data. */
- $this->expireData();
-
- if($timeout === NULL) {
- /* Use the default timeout. */
-
- $configuration = SimpleSAML_Configuration::getInstance();
-
- $timeout = $configuration->getInteger('session.datastore.timeout', NULL);
- if($timeout !== NULL) {
- if ($timeout <= 0) {
- throw new Exception('The value of the session.datastore.timeout' .
- ' configuration option should be a positive integer.');
- }
- }
- }
-
- if ($timeout === self::DATA_TIMEOUT_SESSION_END) {
- $expires = self::DATA_TIMEOUT_SESSION_END;
- } else {
- $expires = time() + $timeout;
- }
-
- $dataInfo = array(
- 'expires' => $expires,
- 'timeout' => $timeout,
- 'data' => $data
- );
-
- if(!is_array($this->dataStore)) {
- $this->dataStore = array();
- }
-
- if(!array_key_exists($type, $this->dataStore)) {
- $this->dataStore[$type] = array();
- }
-
- $this->dataStore[$type][$id] = $dataInfo;
-
- $this->dirty = TRUE;
- }
-
-
- /**
- * This function retrieves data from the data store.
- *
- * Note that this will not change when the data stored in the data store will expire. If that is required,
- * the data should be written back with setData.
- *
- * @param string $type The type of the data. This must match the type used when adding the data.
- * @param string|NULL $id The identifier of the data. Can be NULL, in which case NULL will be returned.
- * @return mixed The data of the given type with the given id or NULL if the data doesn't exist in the data store.
- */
- public function getData($type, $id) {
- assert('is_string($type)');
- assert('$id === NULL || is_string($id)');
-
- if($id === NULL) {
- return NULL;
- }
-
- $this->expireData();
-
- if(!is_array($this->dataStore)) {
- return NULL;
- }
-
- if(!array_key_exists($type, $this->dataStore)) {
- return NULL;
- }
-
- if(!array_key_exists($id, $this->dataStore[$type])) {
- return NULL;
- }
-
- return $this->dataStore[$type][$id]['data'];
- }
-
-
- /**
- * This function retrieves all data of the specified type from the data store.
- *
- * The data will be returned as an associative array with the id of the data as the key, and the data
- * as the value of each key. The value will be stored as a copy of the original data. setData must be
- * used to update the data.
- *
- * An empty array will be returned if no data of the given type is found.
- *
- * @param string $type The type of the data.
- * @return array An associative array with all data of the given type.
- */
- public function getDataOfType($type) {
- assert('is_string($type)');
-
- if(!is_array($this->dataStore)) {
- return array();
- }
-
- if(!array_key_exists($type, $this->dataStore)) {
- return array();
- }
-
- $ret = array();
- foreach($this->dataStore[$type] as $id => $info) {
- $ret[$id] = $info['data'];
- }
-
- return $ret;
- }
-
- /**
- * Create a new session and cache it.
- *
- * @param string $sessionId The new session we should create.
- */
- public static function createSession($sessionId) {
- assert('is_string($sessionId)');
- self::$sessions[$sessionId] = NULL;
- }
-
- /**
- * Load a session from the session handler.
- *
- * @param string|NULL $sessionId The session we should load, or NULL to load the current session.
- * @return The session which is stored in the session handler, or NULL if the session wasn't found.
- */
- public static function getSession($sessionId = NULL) {
- assert('is_string($sessionId) || is_null($sessionId)');
-
- $sh = SimpleSAML_SessionHandler::getSessionHandler();
-
- if ($sessionId === NULL) {
- $checkToken = TRUE;
- $sessionId = $sh->getCookieSessionId();
- } else {
- $checkToken = FALSE;
- }
-
- if (array_key_exists($sessionId, self::$sessions)) {
- return self::$sessions[$sessionId];
- }
-
-
- $session = $sh->loadSession($sessionId);
- if($session === NULL) {
- return NULL;
- }
-
- assert('$session instanceof self');
-
- if ($checkToken) {
- $globalConfig = SimpleSAML_Configuration::getInstance();
-
- if ($session->authToken !== NULL) {
- $authTokenCookieName = $globalConfig->getString('session.authtoken.cookiename',
- 'SimpleSAMLAuthToken');
- if (!isset($_COOKIE[$authTokenCookieName])) {
- SimpleSAML_Logger::warning('Missing AuthToken cookie.');
- return NULL;
- }
- if ($_COOKIE[$authTokenCookieName] !== $session->authToken) {
- SimpleSAML_Logger::warning('Invalid AuthToken cookie.');
- return NULL;
- }
- }
-
- /* Run session check function if defined */
- $checkFunction = $globalConfig->getArray('session.check_function', NULL);
- if (isset($checkFunction)) {
- assert('is_callable($checkFunction)');
- $check = call_user_func($checkFunction, $session);
- if ($check !== TRUE) {
- SimpleSAML_Logger::warning('Session did not pass check function.');
- return NULL;
- }
- }
- }
-
- self::$sessions[$sessionId] = $session;
-
- return $session;
- }
-
-
- /**
- * Get the current persistent authentication state.
- *
- * @param string $authority The authority to retrieve the data from.
- * @return array The current persistent authentication state, or NULL if not authenticated.
- */
- public function getAuthState($authority ) {
- assert('is_string($authority)');
-
- if (!isset($this->authData[$authority])) {
- return NULL;
- }
-
- return $this->authData[$authority];
- }
-
-
- /**
- * Check whether the session cookie is set.
- *
- * This function will only return FALSE if is is certain that the cookie isn't set.
- *
- * @return bool TRUE if it was set, FALSE if not.
- */
- public function hasSessionCookie() {
-
- $sh = SimpleSAML_SessionHandler::getSessionHandler();
- return $sh->hasSessionCookie();
- }
-
-
- /**
- * Add an SP association for an IdP.
- *
- * This function is only for use by the SimpleSAML_IdP class.
- *
- * @param string $idp The IdP id.
- * @param array $association The association we should add.
- */
- public function addAssociation($idp, array $association) {
- assert('is_string($idp)');
- assert('isset($association["id"])');
- assert('isset($association["Handler"])');
-
- if (!isset($this->associations)) {
- $this->associations = array();
- }
-
- if (!isset($this->associations[$idp])) {
- $this->associations[$idp] = array();
- }
-
- $this->associations[$idp][$association['id']] = $association;
-
- $this->dirty = TRUE;
- }
-
-
- /**
- * Retrieve the associations for an IdP.
- *
- * This function is only for use by the SimpleSAML_IdP class.
- *
- * @param string $idp The IdP id.
- * @return array The IdP associations.
- */
- public function getAssociations($idp) {
- assert('is_string($idp)');
-
- if (!isset($this->associations)) {
- $this->associations = array();
- }
-
- if (!isset($this->associations[$idp])) {
- return array();
- }
-
- foreach ($this->associations[$idp] as $id => $assoc) {
- if (!isset($assoc['Expires'])) {
- continue;
- }
- if ($assoc['Expires'] >= time()) {
- continue;
- }
-
- unset($this->associations[$idp][$id]);
- }
-
- return $this->associations[$idp];
- }
-
-
- /**
- * Remove an SP association for an IdP.
- *
- * This function is only for use by the SimpleSAML_IdP class.
- *
- * @param string $idp The IdP id.
- * @param string $associationId The id of the association.
- */
- public function terminateAssociation($idp, $associationId) {
- assert('is_string($idp)');
- assert('is_string($associationId)');
-
- if (!isset($this->associations)) {
- return;
- }
-
- if (!isset($this->associations[$idp])) {
- return;
- }
-
- unset($this->associations[$idp][$associationId]);
-
- $this->dirty = TRUE;
- }
-
-
- /**
- * Retrieve authentication data.
- *
- * @param string $authority The authentication source we should retrieve data from.
- * @param string $name The name of the data we should retrieve.
- * @return mixed The value, or NULL if the value wasn't found.
- */
- public function getAuthData($authority, $name) {
- assert('is_string($authority)');
- assert('is_string($name)');
-
- if (!isset($this->authData[$authority][$name])) {
- return NULL;
- }
- return $this->authData[$authority][$name];
- }
-
-
- /**
- * Retrieve a list of authorities (authentication sources) that are currently valid within
- * this session.
- *
- * @return mixed An array containing every authority currently valid. Empty if none available.
- */
- public function getAuthorities()
- {
- $authorities = array();
- foreach (array_keys($this->authData) as $authority) {
- if ($this->isValid($authority)) {
- $authorities[] = $authority;
- }
- }
- return $authorities;
- }
+ */
+ public function setData($type, $id, $data, $timeout = null)
+ {
+ assert('is_string($type)');
+ assert('is_string($id)');
+ assert('is_int($timeout) || is_null($timeout) || $timeout === self::DATA_TIMEOUT_SESSION_END');
+
+ // clean out old data
+ $this->expireData();
+
+ if ($timeout === null) {
+ // use the default timeout
+
+ $configuration = SimpleSAML_Configuration::getInstance();
+
+ $timeout = $configuration->getInteger('session.datastore.timeout', null);
+ if ($timeout !== null) {
+ if ($timeout <= 0) {
+ throw new Exception('The value of the session.datastore.timeout'.
+ ' configuration option should be a positive integer.');
+ }
+ }
+ }
+
+ if ($timeout === self::DATA_TIMEOUT_SESSION_END) {
+ $expires = self::DATA_TIMEOUT_SESSION_END;
+ } else {
+ $expires = time() + $timeout;
+ }
+
+ $dataInfo = array(
+ 'expires' => $expires,
+ 'timeout' => $timeout,
+ 'data' => $data
+ );
+
+ if (!is_array($this->dataStore)) {
+ $this->dataStore = array();
+ }
+
+ if (!array_key_exists($type, $this->dataStore)) {
+ $this->dataStore[$type] = array();
+ }
+
+ $this->dataStore[$type][$id] = $dataInfo;
+
+ $this->dirty = true;
+ }
+
+ /**
+ * This function removes expired data from the data store.
+ *
+ * Note that this function doesn't mark the session object as dirty. This means that
+ * if the only change to the session object is that some data has expired, it will not be
+ * written back to the session store.
+ */
+ private function expireData()
+ {
+ if (!is_array($this->dataStore)) {
+ return;
+ }
+
+ $ct = time();
+
+ foreach ($this->dataStore as &$typedData) {
+ foreach ($typedData as $id => $info) {
+ if ($info['expires'] === self::DATA_TIMEOUT_SESSION_END) {
+ // this data never expires
+ continue;
+ }
+
+ if ($ct > $info['expires']) {
+ unset($typedData[$id]);
+ }
+ }
+ }
+ }
+
+ /**
+ * This function retrieves data from the data store.
+ *
+ * Note that this will not change when the data stored in the data store will expire. If that is required,
+ * the data should be written back with setData.
+ *
+ * @param string $type The type of the data. This must match the type used when adding the data.
+ * @param string|null $id The identifier of the data. Can be null, in which case null will be returned.
+ *
+ * @return mixed The data of the given type with the given id or null if the data doesn't exist in the data store.
+ */
+ public function getData($type, $id)
+ {
+ assert('is_string($type)');
+ assert('$id === null || is_string($id)');
+
+ if ($id === null) {
+ return null;
+ }
+
+ $this->expireData();
+
+ if (!is_array($this->dataStore)) {
+ return null;
+ }
+
+ if (!array_key_exists($type, $this->dataStore)) {
+ return null;
+ }
+
+ if (!array_key_exists($id, $this->dataStore[$type])) {
+ return null;
+ }
+
+ return $this->dataStore[$type][$id]['data'];
+ }
+
+ /**
+ * This function retrieves all data of the specified type from the data store.
+ *
+ * The data will be returned as an associative array with the id of the data as the key, and the data
+ * as the value of each key. The value will be stored as a copy of the original data. setData must be
+ * used to update the data.
+ *
+ * An empty array will be returned if no data of the given type is found.
+ *
+ * @param string $type The type of the data.
+ *
+ * @return array An associative array with all data of the given type.
+ */
+ public function getDataOfType($type)
+ {
+ assert('is_string($type)');
+
+ if (!is_array($this->dataStore)) {
+ return array();
+ }
+
+ if (!array_key_exists($type, $this->dataStore)) {
+ return array();
+ }
+
+ $ret = array();
+ foreach ($this->dataStore[$type] as $id => $info) {
+ $ret[$id] = $info['data'];
+ }
+
+ return $ret;
+ }
+
+ /**
+ * Get the current persistent authentication state.
+ *
+ * @param string $authority The authority to retrieve the data from.
+ *
+ * @return array The current persistent authentication state, or null if not authenticated.
+ */
+ public function getAuthState($authority)
+ {
+ assert('is_string($authority)');
+
+ if (!isset($this->authData[$authority])) {
+ return null;
+ }
+
+ return $this->authData[$authority];
+ }
+
+
+ /**
+ * Check whether the session cookie is set.
+ *
+ * This function will only return false if is is certain that the cookie isn't set.
+ *
+ * @return bool true if it was set, false if not.
+ */
+ public function hasSessionCookie()
+ {
+ $sh = SimpleSAML_SessionHandler::getSessionHandler();
+ return $sh->hasSessionCookie();
+ }
+
+
+ /**
+ * Add an SP association for an IdP.
+ *
+ * This function is only for use by the SimpleSAML_IdP class.
+ *
+ * @param string $idp The IdP id.
+ * @param array $association The association we should add.
+ */
+ public function addAssociation($idp, array $association)
+ {
+ assert('is_string($idp)');
+ assert('isset($association["id"])');
+ assert('isset($association["Handler"])');
+
+ if (!isset($this->associations)) {
+ $this->associations = array();
+ }
+
+ if (!isset($this->associations[$idp])) {
+ $this->associations[$idp] = array();
+ }
+
+ $this->associations[$idp][$association['id']] = $association;
+
+ $this->dirty = true;
+ }
+
+
+ /**
+ * Retrieve the associations for an IdP.
+ *
+ * This function is only for use by the SimpleSAML_IdP class.
+ *
+ * @param string $idp The IdP id.
+ *
+ * @return array The IdP associations.
+ */
+ public function getAssociations($idp)
+ {
+ assert('is_string($idp)');
+
+ if (!isset($this->associations)) {
+ $this->associations = array();
+ }
+
+ if (!isset($this->associations[$idp])) {
+ return array();
+ }
+
+ foreach ($this->associations[$idp] as $id => $assoc) {
+ if (!isset($assoc['Expires'])) {
+ continue;
+ }
+ if ($assoc['Expires'] >= time()) {
+ continue;
+ }
+
+ unset($this->associations[$idp][$id]);
+ }
+
+ return $this->associations[$idp];
+ }
+
+
+ /**
+ * Remove an SP association for an IdP.
+ *
+ * This function is only for use by the SimpleSAML_IdP class.
+ *
+ * @param string $idp The IdP id.
+ * @param string $associationId The id of the association.
+ */
+ public function terminateAssociation($idp, $associationId)
+ {
+ assert('is_string($idp)');
+ assert('is_string($associationId)');
+
+ if (!isset($this->associations)) {
+ return;
+ }
+
+ if (!isset($this->associations[$idp])) {
+ return;
+ }
+
+ unset($this->associations[$idp][$associationId]);
+
+ $this->dirty = true;
+ }
+
+
+ /**
+ * Retrieve authentication data.
+ *
+ * @param string $authority The authentication source we should retrieve data from.
+ * @param string $name The name of the data we should retrieve.
+ *
+ * @return mixed The value, or null if the value wasn't found.
+ */
+ public function getAuthData($authority, $name)
+ {
+ assert('is_string($authority)');
+ assert('is_string($name)');
+
+ if (!isset($this->authData[$authority][$name])) {
+ return null;
+ }
+ return $this->authData[$authority][$name];
+ }
+
+
+ /**
+ * Retrieve a list of authorities (authentication sources) that are currently valid within
+ * this session.
+ *
+ * @return mixed An array containing every authority currently valid. Empty if none available.
+ */
+ public function getAuthorities()
+ {
+ $authorities = array();
+ foreach (array_keys($this->authData) as $authority) {
+ if ($this->isValid($authority)) {
+ $authorities[] = $authority;
+ }
+ }
+ return $authorities;
+ }
}