isHTTPS() public static method

This function checks if we are using HTTPS as protocol.
Author: Olav Morken, UNINETT AS (olav.morken@uninett.no)
Author: Jaime Perez, UNINETT AS (jaime.perez@uninett.no)
public static isHTTPS ( ) : boolean
return boolean True if the HTTPS is used, false otherwise.
Ejemplo n.º 1
0
 /**
  * Retrieve the session id of saved in the session cookie.
  *
  * @return string  The session id saved in the cookie.
  */
 public function getCookieSessionId()
 {
     if (session_id() === '') {
         if (!self::hasSessionCookie()) {
             return self::newSessionId();
         }
         $session_cookie_params = session_get_cookie_params();
         if ($session_cookie_params['secure'] && !\SimpleSAML\Utils\HTTP::isHTTPS()) {
             throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
         }
         session_start();
     }
     return session_id();
 }
Ejemplo n.º 2
0
 /**
  * Test SimpleSAML\Utils\HTTP::getSelfURL().
  */
 public function testGetSelfURLMethods()
 {
     $original = $_SERVER;
     /*
      * Test a URL pointing to a script that's not part of the public interface. This allows us to test calls to
      * getSelfURL() from scripts outside of SimpleSAMLphp
      */
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'http://example.com/simplesaml/'), '[ARRAY]', 'simplesaml');
     $url = 'https://example.com/app/script.php/some/path?foo=bar';
     $this->setupEnvFromURL($url);
     $_SERVER['SCRIPT_FILENAME'] = '/var/www/app/script.php';
     $this->assertEquals($url, HTTP::getSelfURL());
     $this->assertEquals('https://example.com', HTTP::getSelfURLHost());
     $this->assertEquals('https://example.com/app/script.php/some/path', HTTP::getSelfURLNoQuery());
     $this->assertTrue(HTTP::isHTTPS());
     $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     // test a request URI that doesn't match the current script
     $cfg = \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.org/simplesaml/'), '[ARRAY]', 'simplesaml');
     $baseDir = $cfg->getBaseDir();
     $_SERVER['SCRIPT_FILENAME'] = $baseDir . 'www/module.php';
     $this->setupEnvFromURL('http://www.example.com/protected/resource.asp?foo=bar');
     $this->assertEquals('http://www.example.com/protected/resource.asp?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('http://www.example.com', HTTP::getSelfURLHost());
     $this->assertEquals('http://www.example.com/protected/resource.asp', HTTP::getSelfURLNoQuery());
     $this->assertFalse(HTTP::isHTTPS());
     $this->assertEquals('example.org', HTTP::getSelfHostWithNonStandardPort());
     $this->assertEquals('http://www.example.com', HTTP::getSelfURLHost());
     // test a valid, full URL, based on a full URL in the configuration
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com/simplesaml/'), '[ARRAY]', 'simplesaml');
     $this->setupEnvFromURL('http://www.example.org/module.php/module/file.php?foo=bar');
     $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('https://example.com', HTTP::getSelfURLHost());
     $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
     $this->assertTrue(HTTP::isHTTPS());
     $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     // test a valid, full URL, based on a full URL *without* a trailing slash in the configuration
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com/simplesaml'), '[ARRAY]', 'simplesaml');
     $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('https://example.com', HTTP::getSelfURLHost());
     $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
     $this->assertTrue(HTTP::isHTTPS());
     $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     // test a valid, full URL, based on a full URL *without* a path in the configuration
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com'), '[ARRAY]', 'simplesaml');
     $this->assertEquals('https://example.com/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('https://example.com', HTTP::getSelfURLHost());
     $this->assertEquals('https://example.com/module.php/module/file.php', HTTP::getSelfURLNoQuery());
     $this->assertTrue(HTTP::isHTTPS());
     $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     // test a valid, full URL, based on a relative path in the configuration
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml');
     $this->setupEnvFromURL('http://www.example.org/simplesaml/module.php/module/file.php?foo=bar');
     $this->assertEquals('http://www.example.org/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('http://www.example.org', HTTP::getSelfURLHost());
     $this->assertEquals('http://www.example.org/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
     $this->assertFalse(HTTP::isHTTPS());
     $this->assertEquals('http://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     // test a valid, full URL, based on a relative path in the configuration and a non standard port
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml');
     $this->setupEnvFromURL('http://example.org:8080/simplesaml/module.php/module/file.php?foo=bar');
     $this->assertEquals('http://example.org:8080/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('http://example.org:8080', HTTP::getSelfURLHost());
     $this->assertEquals('http://example.org:8080/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
     $this->assertFalse(HTTP::isHTTPS());
     $this->assertEquals('http://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     // test a valid, full URL, based on a relative path in the configuration, a non standard port and HTTPS
     \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml');
     $this->setupEnvFromURL('https://example.org:8080/simplesaml/module.php/module/file.php?foo=bar');
     $this->assertEquals('https://example.org:8080/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
     $this->assertEquals('https://example.org:8080', HTTP::getSelfURLHost());
     $this->assertEquals('https://example.org:8080/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
     $this->assertTrue(HTTP::isHTTPS());
     $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
     $_SERVER = $original;
 }
Ejemplo n.º 3
0
 /**
  * Build an assertion based on information in the metadata.
  *
  * @param SimpleSAML_Configuration $idpMetadata  The metadata of the IdP.
  * @param SimpleSAML_Configuration $spMetadata  The metadata of the SP.
  * @param array &$state  The state array with information about the request.
  * @return SAML2_Assertion  The assertion.
  */
 private static function buildAssertion(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, array &$state)
 {
     assert('isset($state["Attributes"])');
     assert('isset($state["saml:ConsumerURL"])');
     $now = time();
     $signAssertion = $spMetadata->getBoolean('saml20.sign.assertion', NULL);
     if ($signAssertion === NULL) {
         $signAssertion = $idpMetadata->getBoolean('saml20.sign.assertion', TRUE);
     }
     $config = SimpleSAML_Configuration::getInstance();
     $a = new SAML2_Assertion();
     if ($signAssertion) {
         sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $a);
     }
     $a->setIssuer($idpMetadata->getString('entityid'));
     $a->setValidAudiences(array($spMetadata->getString('entityid')));
     $a->setNotBefore($now - 30);
     $assertionLifetime = $spMetadata->getInteger('assertion.lifetime', NULL);
     if ($assertionLifetime === NULL) {
         $assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300);
     }
     $a->setNotOnOrAfter($now + $assertionLifetime);
     if (isset($state['saml:AuthnContextClassRef'])) {
         $a->setAuthnContext($state['saml:AuthnContextClassRef']);
     } else {
         $a->setAuthnContext(SAML2_Const::AC_PASSWORD);
     }
     $sessionStart = $now;
     if (isset($state['AuthnInstant'])) {
         $a->setAuthnInstant($state['AuthnInstant']);
         $sessionStart = $state['AuthnInstant'];
     }
     $sessionLifetime = $config->getInteger('session.duration', 8 * 60 * 60);
     $a->setSessionNotOnOrAfter($sessionStart + $sessionLifetime);
     $a->setSessionIndex(SimpleSAML\Utils\Random::generateID());
     $sc = new SAML2_XML_saml_SubjectConfirmation();
     $sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
     $sc->SubjectConfirmationData->NotOnOrAfter = $now + $assertionLifetime;
     $sc->SubjectConfirmationData->Recipient = $state['saml:ConsumerURL'];
     $sc->SubjectConfirmationData->InResponseTo = $state['saml:RequestId'];
     /* ProtcolBinding of SP's <AuthnRequest> overwrites IdP hosted metadata configuration. */
     $hokAssertion = NULL;
     if ($state['saml:Binding'] === SAML2_Const::BINDING_HOK_SSO) {
         $hokAssertion = TRUE;
     }
     if ($hokAssertion === NULL) {
         $hokAssertion = $idpMetadata->getBoolean('saml20.hok.assertion', FALSE);
     }
     if ($hokAssertion) {
         /* Holder-of-Key */
         $sc->Method = SAML2_Const::CM_HOK;
         if (\SimpleSAML\Utils\HTTP::isHTTPS()) {
             if (isset($_SERVER['SSL_CLIENT_CERT']) && !empty($_SERVER['SSL_CLIENT_CERT'])) {
                 /* Extract certificate data (if this is a certificate). */
                 $clientCert = $_SERVER['SSL_CLIENT_CERT'];
                 $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
                 if (preg_match($pattern, $clientCert, $matches)) {
                     /* We have a client certificate from the browser which we add to the HoK assertion. */
                     $x509Certificate = new SAML2_XML_ds_X509Certificate();
                     $x509Certificate->certificate = str_replace(array("\r", "\n", " "), '', $matches[1]);
                     $x509Data = new SAML2_XML_ds_X509Data();
                     $x509Data->data[] = $x509Certificate;
                     $keyInfo = new SAML2_XML_ds_KeyInfo();
                     $keyInfo->info[] = $x509Data;
                     $sc->SubjectConfirmationData->info[] = $keyInfo;
                 } else {
                     throw new SimpleSAML_Error_Exception('Error creating HoK assertion: No valid client certificate provided during TLS handshake with IdP');
                 }
             } else {
                 throw new SimpleSAML_Error_Exception('Error creating HoK assertion: No client certificate provided during TLS handshake with IdP');
             }
         } else {
             throw new SimpleSAML_Error_Exception('Error creating HoK assertion: No HTTPS connection to IdP, but required for Holder-of-Key SSO');
         }
     } else {
         /* Bearer */
         $sc->Method = SAML2_Const::CM_BEARER;
     }
     $a->setSubjectConfirmation(array($sc));
     /* Add attributes. */
     if ($spMetadata->getBoolean('simplesaml.attributes', TRUE)) {
         $attributeNameFormat = self::getAttributeNameFormat($idpMetadata, $spMetadata);
         $a->setAttributeNameFormat($attributeNameFormat);
         $attributes = self::encodeAttributes($idpMetadata, $spMetadata, $state['Attributes']);
         $a->setAttributes($attributes);
     }
     /* Generate the NameID for the assertion. */
     if (isset($state['saml:NameIDFormat'])) {
         $nameIdFormat = $state['saml:NameIDFormat'];
     } else {
         $nameIdFormat = NULL;
     }
     if ($nameIdFormat === NULL || !isset($state['saml:NameID'][$nameIdFormat])) {
         /* Either not set in request, or not set to a format we supply. Fall back to old generation method. */
         $nameIdFormat = $spMetadata->getString('NameIDFormat', NULL);
         if ($nameIdFormat === NULL) {
             $nameIdFormat = $idpMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT);
         }
     }
     if (isset($state['saml:NameID'][$nameIdFormat])) {
         $nameId = $state['saml:NameID'][$nameIdFormat];
         $nameId['Format'] = $nameIdFormat;
     } else {
         $spNameQualifier = $spMetadata->getString('SPNameQualifier', NULL);
         if ($spNameQualifier === NULL) {
             $spNameQualifier = $spMetadata->getString('entityid');
         }
         if ($nameIdFormat === SAML2_Const::NAMEID_TRANSIENT) {
             /* generate a random id */
             $nameIdValue = SimpleSAML\Utils\Random::generateID();
         } else {
             /* this code will end up generating either a fixed assigned id (via nameid.attribute)
                or random id if not assigned/configured */
             $nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state);
             if ($nameIdValue === NULL) {
                 SimpleSAML_Logger::warning('Falling back to transient NameID.');
                 $nameIdFormat = SAML2_Const::NAMEID_TRANSIENT;
                 $nameIdValue = SimpleSAML\Utils\Random::generateID();
             }
         }
         $nameId = array('Format' => $nameIdFormat, 'Value' => $nameIdValue, 'SPNameQualifier' => $spNameQualifier);
     }
     $state['saml:idp:NameID'] = $nameId;
     $a->setNameId($nameId);
     $encryptNameId = $spMetadata->getBoolean('nameid.encryption', NULL);
     if ($encryptNameId === NULL) {
         $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', FALSE);
     }
     if ($encryptNameId) {
         $a->encryptNameId(sspmod_saml_Message::getEncryptionKey($spMetadata));
     }
     return $a;
 }
Ejemplo n.º 4
0
 /**
  * Process an assertion in a response.
  *
  * Will throw an exception if it is invalid.
  *
  * @param SimpleSAML_Configuration $spMetadata  The metadata of the service provider.
  * @param SimpleSAML_Configuration $idpMetadata  The metadata of the identity provider.
  * @param \SAML2\Response $response  The response containing the assertion.
  * @param \SAML2\Assertion|\SAML2\EncryptedAssertion $assertion  The assertion.
  * @param bool $responseSigned  Whether the response is signed.
  * @return \SAML2\Assertion  The assertion, if it is valid.
  */
 private static function processAssertion(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response, $assertion, $responseSigned)
 {
     assert('$assertion instanceof \\SAML2\\Assertion || $assertion instanceof \\SAML2\\EncryptedAssertion');
     assert('is_bool($responseSigned)');
     $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion);
     if (!self::checkSign($idpMetadata, $assertion)) {
         if (!$responseSigned) {
             throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.');
         }
     }
     /* At least one valid signature found. */
     $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
     /* Check various properties of the assertion. */
     $notBefore = $assertion->getNotBefore();
     if ($notBefore !== NULL && $notBefore > time() + 60) {
         throw new SimpleSAML_Error_Exception('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.');
     }
     $notOnOrAfter = $assertion->getNotOnOrAfter();
     if ($notOnOrAfter !== NULL && $notOnOrAfter <= time() - 60) {
         throw new SimpleSAML_Error_Exception('Received an assertion that has expired. Check clock synchronization on IdP and SP.');
     }
     $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
     if ($sessionNotOnOrAfter !== NULL && $sessionNotOnOrAfter <= time() - 60) {
         throw new SimpleSAML_Error_Exception('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.');
     }
     $validAudiences = $assertion->getValidAudiences();
     if ($validAudiences !== NULL) {
         $spEntityId = $spMetadata->getString('entityid');
         if (!in_array($spEntityId, $validAudiences, TRUE)) {
             $candidates = '[' . implode('], [', $validAudiences) . ']';
             throw new SimpleSAML_Error_Exception('This SP [' . $spEntityId . ']  is not a valid audience for the assertion. Candidates were: ' . $candidates);
         }
     }
     $found = FALSE;
     $lastError = 'No SubjectConfirmation element in Subject.';
     $validSCMethods = array(\SAML2\Constants::CM_BEARER, \SAML2\Constants::CM_HOK, \SAML2\Constants::CM_VOUCHES);
     foreach ($assertion->getSubjectConfirmation() as $sc) {
         if (!in_array($sc->Method, $validSCMethods)) {
             $lastError = 'Invalid Method on SubjectConfirmation: ' . var_export($sc->Method, TRUE);
             continue;
         }
         /* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */
         $hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL);
         if ($hok === NULL) {
             $hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE);
         }
         if ($sc->Method === \SAML2\Constants::CM_BEARER && $hok) {
             $lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
             continue;
         }
         if ($sc->Method === \SAML2\Constants::CM_HOK && !$hok) {
             $lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.';
             continue;
         }
         $scd = $sc->SubjectConfirmationData;
         if ($sc->Method === \SAML2\Constants::CM_HOK) {
             /* Check HoK Assertion */
             if (\SimpleSAML\Utils\HTTP::isHTTPS() === FALSE) {
                 $lastError = 'No HTTPS connection, but required for Holder-of-Key SSO';
                 continue;
             }
             if (isset($_SERVER['SSL_CLIENT_CERT']) && empty($_SERVER['SSL_CLIENT_CERT'])) {
                 $lastError = 'No client certificate provided during TLS Handshake with SP';
                 continue;
             }
             /* Extract certificate data (if this is a certificate). */
             $clientCert = $_SERVER['SSL_CLIENT_CERT'];
             $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
             if (!preg_match($pattern, $clientCert, $matches)) {
                 $lastError = 'Error while looking for client certificate during TLS handshake with SP, the client certificate does not ' . 'have the expected structure';
                 continue;
             }
             /* We have a valid client certificate from the browser. */
             $clientCert = str_replace(array("\r", "\n", " "), '', $matches[1]);
             foreach ($scd->info as $thing) {
                 if ($thing instanceof \SAML2\XML\ds\KeyInfo) {
                     $keyInfo[] = $thing;
                 }
             }
             if (count($keyInfo) != 1) {
                 $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:KeyInfo> element in <SubjectConfirmationData> allowed';
                 continue;
             }
             foreach ($keyInfo[0]->info as $thing) {
                 if ($thing instanceof \SAML2\XML\ds\X509Data) {
                     $x509data[] = $thing;
                 }
             }
             if (count($x509data) != 1) {
                 $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Data> element in <ds:KeyInfo> within <SubjectConfirmationData> allowed';
                 continue;
             }
             foreach ($x509data[0]->data as $thing) {
                 if ($thing instanceof \SAML2\XML\ds\X509Certificate) {
                     $x509cert[] = $thing;
                 }
             }
             if (count($x509cert) != 1) {
                 $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Certificate> element in <ds:X509Data> within <SubjectConfirmationData> allowed';
                 continue;
             }
             $HoKCertificate = $x509cert[0]->certificate;
             if ($HoKCertificate !== $clientCert) {
                 $lastError = 'Provided client certificate does not match the certificate bound to the Holder-of-Key assertion';
                 continue;
             }
         }
         if ($scd->NotBefore && $scd->NotBefore > time() + 60) {
             $lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore;
             continue;
         }
         if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) {
             $lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: ' . $scd->NotOnOrAfter;
             continue;
         }
         if ($scd->Recipient !== NULL && $scd->Recipient !== $currentURL) {
             $lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is ' . var_export($scd->Recipient, TRUE) . ', current URL is ' . var_export($currentURL, TRUE) . '.';
             continue;
         }
         if ($scd->InResponseTo !== NULL && $response->getInResponseTo() !== NULL && $scd->InResponseTo !== $response->getInResponseTo()) {
             $lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has ' . var_export($response->getInResponseTo(), TRUE) . ', SubjectConfirmationData has ' . var_export($scd->InResponseTo, TRUE) . '.';
             continue;
         }
         $found = TRUE;
         break;
     }
     if (!$found) {
         throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: ' . $lastError);
     }
     /* As far as we can tell, the assertion is valid. */
     /* Maybe we need to base64 decode the attributes in the assertion? */
     if ($idpMetadata->getBoolean('base64attributes', FALSE)) {
         $attributes = $assertion->getAttributes();
         $newAttributes = array();
         foreach ($attributes as $name => $values) {
             $newAttributes[$name] = array();
             foreach ($values as $value) {
                 foreach (explode('_', $value) as $v) {
                     $newAttributes[$name][] = base64_decode($v);
                 }
             }
         }
         $assertion->setAttributes($newAttributes);
     }
     /* Decrypt the NameID element if it is encrypted. */
     if ($assertion->isNameIdEncrypted()) {
         try {
             $keys = self::getDecryptionKeys($idpMetadata, $spMetadata);
         } catch (Exception $e) {
             throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
         }
         $blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
         $lastException = NULL;
         foreach ($keys as $i => $key) {
             try {
                 $assertion->decryptNameId($key, $blacklist);
                 SimpleSAML\Logger::debug('Decryption with key #' . $i . ' succeeded.');
                 $lastException = NULL;
                 break;
             } catch (Exception $e) {
                 SimpleSAML\Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage());
                 $lastException = $e;
             }
         }
         if ($lastException !== NULL) {
             throw $lastException;
         }
     }
     return $assertion;
 }
Ejemplo n.º 5
0
 /**
  * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\HTTP::isHTTPS() instead.
  */
 public static function isHTTPS()
 {
     return \SimpleSAML\Utils\HTTP::isHTTPS();
 }
Ejemplo n.º 6
0
 /**
  * Helper function for setting a cookie.
  *
  * @param string      $name  Name of the cookie.
  * @param string|null $value Value of the cookie. Set this to null to delete the cookie.
  *
  * @return void
  */
 private function _setConsentCookie($name, $value)
 {
     assert('is_string($name)');
     assert('is_string($value) || is_null($value)');
     $globalConfig = SimpleSAML_Configuration::getInstance();
     $params = array('lifetime' => 90 * 24 * 60 * 60, 'path' => $globalConfig->getBasePath(), 'httponly' => false);
     if (\SimpleSAML\Utils\HTTP::isHTTPS()) {
         // Enable secure cookie for https-requests
         $params['secure'] = true;
     } else {
         $params['secure'] = false;
     }
     \SimpleSAML\Utils\HTTP::setCookie($name, $value, $params, false);
 }
Ejemplo n.º 7
0
<?php

/* Load simpleSAMLphp, configuration */
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getSessionFromRequest();
/* Check if valid local session exists.. */
if ($config->getBoolean('admin.protectindexpage', false)) {
    SimpleSAML\Utils\Auth::requireAdmin();
}
$loginurl = SimpleSAML\Utils\Auth::getAdminLoginURL();
$isadmin = SimpleSAML\Utils\Auth::isAdmin();
$warnings = array();
if (!\SimpleSAML\Utils\HTTP::isHTTPS()) {
    $warnings[] = '{core:frontpage:warnings_https}';
}
if ($config->getValue('secretsalt') === 'defaultsecretsalt') {
    $warnings[] = '{core:frontpage:warnings_secretsalt}';
}
if (extension_loaded('suhosin')) {
    $suhosinLength = ini_get('suhosin.get.max_value_length');
    if (empty($suhosinLength) || (int) $suhosinLength < 2048) {
        $warnings[] = '{core:frontpage:warnings_suhosin_url_length}';
    }
}
$links = array();
$links_welcome = array();
$links_config = array();
$links_auth = array();
$links_federation = array();
$links_config[] = array('href' => \SimpleSAML\Utils\HTTP::getBaseURL() . 'admin/hostnames.php', 'text' => '{core:frontpage:link_diagnostics}');
$links_config[] = array('href' => \SimpleSAML\Utils\HTTP::getBaseURL() . 'admin/phpinfo.php', 'text' => '{core:frontpage:link_phpinfo}');
Ejemplo n.º 8
0
 /**
  * Retrieve the session ID saved in the session cookie, if there's one.
  *
  * @return string|null The session id saved in the cookie or null if no session cookie was set.
  *
  * @throws SimpleSAML_Error_Exception If the cookie is marked as secure but we are not using HTTPS.
  */
 public function getCookieSessionId()
 {
     if (session_id() === '') {
         if (!self::hasSessionCookie()) {
             return null;
         }
         $session_cookie_params = session_get_cookie_params();
         if ($session_cookie_params['secure'] && !\SimpleSAML\Utils\HTTP::isHTTPS()) {
             throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
         }
         $cacheLimiter = session_cache_limiter();
         if (headers_sent()) {
             /*
              * session_start() tries to send HTTP headers depending on the configuration, according to the
              * documentation:
              *
              *      http://php.net/manual/en/function.session-start.php
              *
              * If headers have been already sent, it will then trigger an error since no more headers can be sent.
              * Being unable to send headers does not mean we cannot recover the session by calling session_start(),
              * so we still want to call it. In this case, though, we want to avoid session_start() to send any
              * headers at all so that no error is generated, so we clear the cache limiter temporarily (no headers
              * sent then) and restore it after successfully starting the session.
              */
             session_cache_limiter('');
         }
         session_start();
         session_cache_limiter($cacheLimiter);
     }
     return session_id();
 }
 /**
  * Set a session cookie.
  *
  * @param string $sessionName The name of the session.
  * @param string|null $sessionID The session ID to use. Set to null to delete the cookie.
  * @param array|null $cookieParams Additional parameters to use for the session cookie.
  *
  * @throws \SimpleSAML\Error\CannotSetCookie If we can't set the cookie.
  */
 public function setCookie($sessionName, $sessionID, array $cookieParams = null)
 {
     if ($cookieParams === null) {
         $cookieParams = session_get_cookie_params();
     }
     if ($cookieParams['secure'] && !\SimpleSAML\Utils\HTTP::isHTTPS()) {
         throw new \SimpleSAML\Error\CannotSetCookie('Setting secure cookie on plain HTTP is not allowed.', \SimpleSAML\Error\CannotSetCookie::SECURE_COOKIE);
     }
     if (headers_sent()) {
         throw new \SimpleSAML\Error\CannotSetCookie('Headers already sent.', \SimpleSAML\Error\CannotSetCookie::HEADERS_SENT);
     }
     session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $cookieParams['domain'], $cookieParams['secure'], $cookieParams['httponly']);
     if (session_id() !== '') {
         // session already started, close it
         session_write_close();
     }
     session_id($sessionID);
     $this->sessionStart();
 }