From e5044502ce94c6cfd11373a802207f0136c2f4ac Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 9 Aug 2010 08:52:26 +0000
Subject: [PATCH] saml: Add check against duplicate assertion.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2500 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/saml/www/sp/saml2-acs.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 2bfcc89af..6f1266d8d 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -54,6 +54,26 @@ try {
 	SimpleSAML_Auth_State::throwException($state, $e);
 }
 
+/* Check for duplicate assertion (replay attack). */
+$store = SimpleSAML_Store::getInstance();
+if ($store !== NULL) {
+	$aID = $assertion->getId();
+	if ($store->get('saml.AssertionReceived', $aID) !== NULL) {
+		$e = new SimpleSAML_Error_Exception('Received duplicate assertion.');
+		SimpleSAML_Auth_State::throwException($state, $e);
+	}
+
+	$notOnOrAfter = $assertion->getNotOnOrAfter();
+	if ($notOnOrAfter === NULL) {
+		$notOnOrAfter = time() + 24*60*60;
+	} else {
+		$notOnOrAfter += 60; /* We allow 60 seconds clock skew, so add it here also. */
+	}
+
+	$store->set('saml.AssertionReceived', $aID, TRUE, $notOnOrAfter);
+}
+
+
 $nameId = $assertion->getNameId();
 $sessionIndex = $assertion->getSessionIndex();
 
-- 
GitLab