Disable the removal of a CAS-Ticket from the URL when authenticating
DISABLING POSES A SECURITY RISK:
We normally remove the ticket by an additional redirect as a security
precaution to prevent a ticket in the HTTP_REFERRER or be carried over in
the URL parameter
| public static setNoClearTicketsFromUrl ( ) : void | ||
| return | void | |
function check_cas_result($config)
{
require_once dirname(__DIR__) . '/vendor/autoload.php';
try {
$cas_version = $config->cas_version ? $config->cas_version : CAS_VERSION_2_0;
// phpCAS::setDebug();
phpCAS::client($cas_version, $config->cashostname, (int) $config->casport, $config->casbaseuri, false);
// don't automatically clear tickets from the url, we're taking care of that
phpCAS::setNoClearTicketsFromUrl();
// if a certificate is provided, use it, otherwise don't
if ($config->cas_server_ca_cert_path != "") {
// here we sould set the server certificate for production
// '/etc/pki/tls/certs/DigiCertCA.crt'
phpCAS::setCasServerCACert($config->cas_server_ca_cert_path);
} else {
// if you want to skip ssl verification
if ($config->cas_server_no_validation) {
phpCAS::setNoCasServerValidation();
}
}
// check authentication; returns true/false
if (phpCAS::checkAuthentication()) {
// grab username
$NetUsername = phpCAS::getUser();
return $NetUsername;
} else {
return false;
}
} catch (Exception $e) {
error_log("CAS ERROR: " . $e->getMessage());
register_error($e->getMessage());
return false;
}
}
function checkAuthentication_raw($noCache, $haveTicket)
{
if (isset($_GET["auth_checked"])) {
$noCookies = !isset($_COOKIE["PHPSESSID"]);
if ($noCookies) {
debug_msg("cookie disabled or not accepted");
}
$_SESSION['time_before_verifying_CAS_ticket'] = microtime(true);
$_SESSION['time_before_redirecting_to_CAS'] = getAndUnset($_SESSION, 'time_before_adding_auth_checked');
if ($noCookies || $noCache) {
// do not redirect otherwise
// - if noCookies, it will dead-loop
// - if noCache, we must not clean url otherwise "cleanup SESSION" will be done after final redirect to clean URL
phpCAS::setNoClearTicketsFromUrl();
} else {
if ($haveTicket) {
// remove "auth_checked" after CAS before redirecting to final URL
toggle_auth_checked_in_redirect();
}
}
try {
$isAuthenticated = phpCAS::isAuthenticated();
} catch (Exception $e) {
// ignore
}
$wasPreviouslyAuthenticated = false;
} else {
// add "auth_checked" in url before redirecting to CAS
toggle_auth_checked_in_redirect();
$_SESSION['time_before_adding_auth_checked'] = microtime(true);
$isAuthenticated = phpCAS::checkAuthentication();
// NB: if we reach this point, we are either in "wasPreviouslyAuthenticated" case or after final redirect to clean URL
$noCookies = false;
}
return array($isAuthenticated, $noCookies);
}
