Disable the removal of a CAS-Ticket from the URL when authenticating
DISABLING POSES A SECURITY RISK:
We normally remove the ticket by an additional redirect as a security
precaution to prevent a ticket in the HTTP_REFERRER or be carried over in
the URL parameter
public static setNoClearTicketsFromUrl ( ) : void | ||
return | void |
function check_cas_result($config) { require_once dirname(__DIR__) . '/vendor/autoload.php'; try { $cas_version = $config->cas_version ? $config->cas_version : CAS_VERSION_2_0; // phpCAS::setDebug(); phpCAS::client($cas_version, $config->cashostname, (int) $config->casport, $config->casbaseuri, false); // don't automatically clear tickets from the url, we're taking care of that phpCAS::setNoClearTicketsFromUrl(); // if a certificate is provided, use it, otherwise don't if ($config->cas_server_ca_cert_path != "") { // here we sould set the server certificate for production // '/etc/pki/tls/certs/DigiCertCA.crt' phpCAS::setCasServerCACert($config->cas_server_ca_cert_path); } else { // if you want to skip ssl verification if ($config->cas_server_no_validation) { phpCAS::setNoCasServerValidation(); } } // check authentication; returns true/false if (phpCAS::checkAuthentication()) { // grab username $NetUsername = phpCAS::getUser(); return $NetUsername; } else { return false; } } catch (Exception $e) { error_log("CAS ERROR: " . $e->getMessage()); register_error($e->getMessage()); return false; } }
function checkAuthentication_raw($noCache, $haveTicket) { if (isset($_GET["auth_checked"])) { $noCookies = !isset($_COOKIE["PHPSESSID"]); if ($noCookies) { debug_msg("cookie disabled or not accepted"); } $_SESSION['time_before_verifying_CAS_ticket'] = microtime(true); $_SESSION['time_before_redirecting_to_CAS'] = getAndUnset($_SESSION, 'time_before_adding_auth_checked'); if ($noCookies || $noCache) { // do not redirect otherwise // - if noCookies, it will dead-loop // - if noCache, we must not clean url otherwise "cleanup SESSION" will be done after final redirect to clean URL phpCAS::setNoClearTicketsFromUrl(); } else { if ($haveTicket) { // remove "auth_checked" after CAS before redirecting to final URL toggle_auth_checked_in_redirect(); } } try { $isAuthenticated = phpCAS::isAuthenticated(); } catch (Exception $e) { // ignore } $wasPreviouslyAuthenticated = false; } else { // add "auth_checked" in url before redirecting to CAS toggle_auth_checked_in_redirect(); $_SESSION['time_before_adding_auth_checked'] = microtime(true); $isAuthenticated = phpCAS::checkAuthentication(); // NB: if we reach this point, we are either in "wasPreviouslyAuthenticated" case or after final redirect to clean URL $noCookies = false; } return array($isAuthenticated, $noCookies); }