Skip to content
Snippets Groups Projects
Commit e5044502 authored by Olav Morken's avatar Olav Morken
Browse files

saml: Add check against duplicate assertion. 

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2500 44740490-163a-0410-bde0-09ae8108e29a
parent 2ee81086
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/saml/www/sp/saml2-acs.php
+ 20
0
View file @ e5044502
...@@ -54,6 +54,26 @@ try { ...@@ -54,6 +54,26 @@ try {
SimpleSAML_Auth_State::throwException($state, $e); SimpleSAML_Auth_State::throwException($state, $e);
} }
/* Check for duplicate assertion (replay attack). */
$store = SimpleSAML_Store::getInstance();
if ($store !== NULL) {
$aID = $assertion->getId();
if ($store->get('saml.AssertionReceived', $aID) !== NULL) {
$e = new SimpleSAML_Error_Exception('Received duplicate assertion.');
SimpleSAML_Auth_State::throwException($state, $e);
}
$notOnOrAfter = $assertion->getNotOnOrAfter();
if ($notOnOrAfter === NULL) {
$notOnOrAfter = time() + 24*60*60;
} else {
$notOnOrAfter += 60; /* We allow 60 seconds clock skew, so add it here also. */
}
$store->set('saml.AssertionReceived', $aID, TRUE, $notOnOrAfter);
}
$nameId = $assertion->getNameId(); $nameId = $assertion->getNameId();
$sessionIndex = $assertion->getSessionIndex(); $sessionIndex = $assertion->getSessionIndex();
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment