/**
* Retrieve the session id of saved in the session cookie.
*
* @return string The session id saved in the cookie.
*/
public function getCookieSessionId()
{
if (session_id() === '') {
if (!self::hasSessionCookie()) {
return self::newSessionId();
}
$session_cookie_params = session_get_cookie_params();
if ($session_cookie_params['secure'] && !\SimpleSAML\Utils\HTTP::isHTTPS()) {
throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
}
session_start();
}
return session_id();
}
/**
* Test SimpleSAML\Utils\HTTP::getSelfURL().
*/
public function testGetSelfURLMethods()
{
$original = $_SERVER;
/*
* Test a URL pointing to a script that's not part of the public interface. This allows us to test calls to
* getSelfURL() from scripts outside of SimpleSAMLphp
*/
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'http://example.com/simplesaml/'), '[ARRAY]', 'simplesaml');
$url = 'https://example.com/app/script.php/some/path?foo=bar';
$this->setupEnvFromURL($url);
$_SERVER['SCRIPT_FILENAME'] = '/var/www/app/script.php';
$this->assertEquals($url, HTTP::getSelfURL());
$this->assertEquals('https://example.com', HTTP::getSelfURLHost());
$this->assertEquals('https://example.com/app/script.php/some/path', HTTP::getSelfURLNoQuery());
$this->assertTrue(HTTP::isHTTPS());
$this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
// test a request URI that doesn't match the current script
$cfg = \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.org/simplesaml/'), '[ARRAY]', 'simplesaml');
$baseDir = $cfg->getBaseDir();
$_SERVER['SCRIPT_FILENAME'] = $baseDir . 'www/module.php';
$this->setupEnvFromURL('http://www.example.com/protected/resource.asp?foo=bar');
$this->assertEquals('http://www.example.com/protected/resource.asp?foo=bar', HTTP::getSelfURL());
$this->assertEquals('http://www.example.com', HTTP::getSelfURLHost());
$this->assertEquals('http://www.example.com/protected/resource.asp', HTTP::getSelfURLNoQuery());
$this->assertFalse(HTTP::isHTTPS());
$this->assertEquals('example.org', HTTP::getSelfHostWithNonStandardPort());
$this->assertEquals('http://www.example.com', HTTP::getSelfURLHost());
// test a valid, full URL, based on a full URL in the configuration
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com/simplesaml/'), '[ARRAY]', 'simplesaml');
$this->setupEnvFromURL('http://www.example.org/module.php/module/file.php?foo=bar');
$this->assertEquals('https://example.com/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
$this->assertEquals('https://example.com', HTTP::getSelfURLHost());
$this->assertEquals('https://example.com/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
$this->assertTrue(HTTP::isHTTPS());
$this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
// test a valid, full URL, based on a full URL *without* a trailing slash in the configuration
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com/simplesaml'), '[ARRAY]', 'simplesaml');
$this->assertEquals('https://example.com/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
$this->assertEquals('https://example.com', HTTP::getSelfURLHost());
$this->assertEquals('https://example.com/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
$this->assertTrue(HTTP::isHTTPS());
$this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
// test a valid, full URL, based on a full URL *without* a path in the configuration
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com'), '[ARRAY]', 'simplesaml');
$this->assertEquals('https://example.com/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
$this->assertEquals('https://example.com', HTTP::getSelfURLHost());
$this->assertEquals('https://example.com/module.php/module/file.php', HTTP::getSelfURLNoQuery());
$this->assertTrue(HTTP::isHTTPS());
$this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
// test a valid, full URL, based on a relative path in the configuration
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml');
$this->setupEnvFromURL('http://www.example.org/simplesaml/module.php/module/file.php?foo=bar');
$this->assertEquals('http://www.example.org/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
$this->assertEquals('http://www.example.org', HTTP::getSelfURLHost());
$this->assertEquals('http://www.example.org/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
$this->assertFalse(HTTP::isHTTPS());
$this->assertEquals('http://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
// test a valid, full URL, based on a relative path in the configuration and a non standard port
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml');
$this->setupEnvFromURL('http://example.org:8080/simplesaml/module.php/module/file.php?foo=bar');
$this->assertEquals('http://example.org:8080/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
$this->assertEquals('http://example.org:8080', HTTP::getSelfURLHost());
$this->assertEquals('http://example.org:8080/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
$this->assertFalse(HTTP::isHTTPS());
$this->assertEquals('http://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
// test a valid, full URL, based on a relative path in the configuration, a non standard port and HTTPS
\SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml');
$this->setupEnvFromURL('https://example.org:8080/simplesaml/module.php/module/file.php?foo=bar');
$this->assertEquals('https://example.org:8080/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL());
$this->assertEquals('https://example.org:8080', HTTP::getSelfURLHost());
$this->assertEquals('https://example.org:8080/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery());
$this->assertTrue(HTTP::isHTTPS());
$this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost());
$_SERVER = $original;
}
/**
* Build an assertion based on information in the metadata.
*
* @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param array &$state The state array with information about the request.
* @return SAML2_Assertion The assertion.
*/
private static function buildAssertion(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, array &$state)
{
assert('isset($state["Attributes"])');
assert('isset($state["saml:ConsumerURL"])');
$now = time();
$signAssertion = $spMetadata->getBoolean('saml20.sign.assertion', NULL);
if ($signAssertion === NULL) {
$signAssertion = $idpMetadata->getBoolean('saml20.sign.assertion', TRUE);
}
$config = SimpleSAML_Configuration::getInstance();
$a = new SAML2_Assertion();
if ($signAssertion) {
sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $a);
}
$a->setIssuer($idpMetadata->getString('entityid'));
$a->setValidAudiences(array($spMetadata->getString('entityid')));
$a->setNotBefore($now - 30);
$assertionLifetime = $spMetadata->getInteger('assertion.lifetime', NULL);
if ($assertionLifetime === NULL) {
$assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300);
}
$a->setNotOnOrAfter($now + $assertionLifetime);
if (isset($state['saml:AuthnContextClassRef'])) {
$a->setAuthnContext($state['saml:AuthnContextClassRef']);
} else {
$a->setAuthnContext(SAML2_Const::AC_PASSWORD);
}
$sessionStart = $now;
if (isset($state['AuthnInstant'])) {
$a->setAuthnInstant($state['AuthnInstant']);
$sessionStart = $state['AuthnInstant'];
}
$sessionLifetime = $config->getInteger('session.duration', 8 * 60 * 60);
$a->setSessionNotOnOrAfter($sessionStart + $sessionLifetime);
$a->setSessionIndex(SimpleSAML\Utils\Random::generateID());
$sc = new SAML2_XML_saml_SubjectConfirmation();
$sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
$sc->SubjectConfirmationData->NotOnOrAfter = $now + $assertionLifetime;
$sc->SubjectConfirmationData->Recipient = $state['saml:ConsumerURL'];
$sc->SubjectConfirmationData->InResponseTo = $state['saml:RequestId'];
/* ProtcolBinding of SP's <AuthnRequest> overwrites IdP hosted metadata configuration. */
$hokAssertion = NULL;
if ($state['saml:Binding'] === SAML2_Const::BINDING_HOK_SSO) {
$hokAssertion = TRUE;
}
if ($hokAssertion === NULL) {
$hokAssertion = $idpMetadata->getBoolean('saml20.hok.assertion', FALSE);
}
if ($hokAssertion) {
/* Holder-of-Key */
$sc->Method = SAML2_Const::CM_HOK;
if (\SimpleSAML\Utils\HTTP::isHTTPS()) {
if (isset($_SERVER['SSL_CLIENT_CERT']) && !empty($_SERVER['SSL_CLIENT_CERT'])) {
/* Extract certificate data (if this is a certificate). */
$clientCert = $_SERVER['SSL_CLIENT_CERT'];
$pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
if (preg_match($pattern, $clientCert, $matches)) {
/* We have a client certificate from the browser which we add to the HoK assertion. */
$x509Certificate = new SAML2_XML_ds_X509Certificate();
$x509Certificate->certificate = str_replace(array("\r", "\n", " "), '', $matches[1]);
$x509Data = new SAML2_XML_ds_X509Data();
$x509Data->data[] = $x509Certificate;
$keyInfo = new SAML2_XML_ds_KeyInfo();
$keyInfo->info[] = $x509Data;
$sc->SubjectConfirmationData->info[] = $keyInfo;
} else {
throw new SimpleSAML_Error_Exception('Error creating HoK assertion: No valid client certificate provided during TLS handshake with IdP');
}
} else {
throw new SimpleSAML_Error_Exception('Error creating HoK assertion: No client certificate provided during TLS handshake with IdP');
}
} else {
throw new SimpleSAML_Error_Exception('Error creating HoK assertion: No HTTPS connection to IdP, but required for Holder-of-Key SSO');
}
} else {
/* Bearer */
$sc->Method = SAML2_Const::CM_BEARER;
}
$a->setSubjectConfirmation(array($sc));
/* Add attributes. */
if ($spMetadata->getBoolean('simplesaml.attributes', TRUE)) {
$attributeNameFormat = self::getAttributeNameFormat($idpMetadata, $spMetadata);
$a->setAttributeNameFormat($attributeNameFormat);
$attributes = self::encodeAttributes($idpMetadata, $spMetadata, $state['Attributes']);
$a->setAttributes($attributes);
}
/* Generate the NameID for the assertion. */
if (isset($state['saml:NameIDFormat'])) {
$nameIdFormat = $state['saml:NameIDFormat'];
} else {
$nameIdFormat = NULL;
}
if ($nameIdFormat === NULL || !isset($state['saml:NameID'][$nameIdFormat])) {
/* Either not set in request, or not set to a format we supply. Fall back to old generation method. */
$nameIdFormat = $spMetadata->getString('NameIDFormat', NULL);
if ($nameIdFormat === NULL) {
$nameIdFormat = $idpMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT);
}
}
if (isset($state['saml:NameID'][$nameIdFormat])) {
$nameId = $state['saml:NameID'][$nameIdFormat];
$nameId['Format'] = $nameIdFormat;
} else {
$spNameQualifier = $spMetadata->getString('SPNameQualifier', NULL);
if ($spNameQualifier === NULL) {
$spNameQualifier = $spMetadata->getString('entityid');
}
if ($nameIdFormat === SAML2_Const::NAMEID_TRANSIENT) {
/* generate a random id */
$nameIdValue = SimpleSAML\Utils\Random::generateID();
} else {
/* this code will end up generating either a fixed assigned id (via nameid.attribute)
or random id if not assigned/configured */
$nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state);
if ($nameIdValue === NULL) {
SimpleSAML_Logger::warning('Falling back to transient NameID.');
$nameIdFormat = SAML2_Const::NAMEID_TRANSIENT;
$nameIdValue = SimpleSAML\Utils\Random::generateID();
}
}
$nameId = array('Format' => $nameIdFormat, 'Value' => $nameIdValue, 'SPNameQualifier' => $spNameQualifier);
}
$state['saml:idp:NameID'] = $nameId;
$a->setNameId($nameId);
$encryptNameId = $spMetadata->getBoolean('nameid.encryption', NULL);
if ($encryptNameId === NULL) {
$encryptNameId = $idpMetadata->getBoolean('nameid.encryption', FALSE);
}
if ($encryptNameId) {
$a->encryptNameId(sspmod_saml_Message::getEncryptionKey($spMetadata));
}
return $a;
}
/**
* Process an assertion in a response.
*
* Will throw an exception if it is invalid.
*
* @param SimpleSAML_Configuration $spMetadata The metadata of the service provider.
* @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider.
* @param \SAML2\Response $response The response containing the assertion.
* @param \SAML2\Assertion|\SAML2\EncryptedAssertion $assertion The assertion.
* @param bool $responseSigned Whether the response is signed.
* @return \SAML2\Assertion The assertion, if it is valid.
*/
private static function processAssertion(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response, $assertion, $responseSigned)
{
assert('$assertion instanceof \\SAML2\\Assertion || $assertion instanceof \\SAML2\\EncryptedAssertion');
assert('is_bool($responseSigned)');
$assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion);
if (!self::checkSign($idpMetadata, $assertion)) {
if (!$responseSigned) {
throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.');
}
}
/* At least one valid signature found. */
$currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
/* Check various properties of the assertion. */
$notBefore = $assertion->getNotBefore();
if ($notBefore !== NULL && $notBefore > time() + 60) {
throw new SimpleSAML_Error_Exception('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.');
}
$notOnOrAfter = $assertion->getNotOnOrAfter();
if ($notOnOrAfter !== NULL && $notOnOrAfter <= time() - 60) {
throw new SimpleSAML_Error_Exception('Received an assertion that has expired. Check clock synchronization on IdP and SP.');
}
$sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
if ($sessionNotOnOrAfter !== NULL && $sessionNotOnOrAfter <= time() - 60) {
throw new SimpleSAML_Error_Exception('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.');
}
$validAudiences = $assertion->getValidAudiences();
if ($validAudiences !== NULL) {
$spEntityId = $spMetadata->getString('entityid');
if (!in_array($spEntityId, $validAudiences, TRUE)) {
$candidates = '[' . implode('], [', $validAudiences) . ']';
throw new SimpleSAML_Error_Exception('This SP [' . $spEntityId . '] is not a valid audience for the assertion. Candidates were: ' . $candidates);
}
}
$found = FALSE;
$lastError = 'No SubjectConfirmation element in Subject.';
$validSCMethods = array(\SAML2\Constants::CM_BEARER, \SAML2\Constants::CM_HOK, \SAML2\Constants::CM_VOUCHES);
foreach ($assertion->getSubjectConfirmation() as $sc) {
if (!in_array($sc->Method, $validSCMethods)) {
$lastError = 'Invalid Method on SubjectConfirmation: ' . var_export($sc->Method, TRUE);
continue;
}
/* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */
$hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL);
if ($hok === NULL) {
$hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE);
}
if ($sc->Method === \SAML2\Constants::CM_BEARER && $hok) {
$lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
continue;
}
if ($sc->Method === \SAML2\Constants::CM_HOK && !$hok) {
$lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.';
continue;
}
$scd = $sc->SubjectConfirmationData;
if ($sc->Method === \SAML2\Constants::CM_HOK) {
/* Check HoK Assertion */
if (\SimpleSAML\Utils\HTTP::isHTTPS() === FALSE) {
$lastError = 'No HTTPS connection, but required for Holder-of-Key SSO';
continue;
}
if (isset($_SERVER['SSL_CLIENT_CERT']) && empty($_SERVER['SSL_CLIENT_CERT'])) {
$lastError = 'No client certificate provided during TLS Handshake with SP';
continue;
}
/* Extract certificate data (if this is a certificate). */
$clientCert = $_SERVER['SSL_CLIENT_CERT'];
$pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
if (!preg_match($pattern, $clientCert, $matches)) {
$lastError = 'Error while looking for client certificate during TLS handshake with SP, the client certificate does not ' . 'have the expected structure';
continue;
}
/* We have a valid client certificate from the browser. */
$clientCert = str_replace(array("\r", "\n", " "), '', $matches[1]);
foreach ($scd->info as $thing) {
if ($thing instanceof \SAML2\XML\ds\KeyInfo) {
$keyInfo[] = $thing;
}
}
if (count($keyInfo) != 1) {
$lastError = 'Error validating Holder-of-Key assertion: Only one <ds:KeyInfo> element in <SubjectConfirmationData> allowed';
continue;
}
foreach ($keyInfo[0]->info as $thing) {
if ($thing instanceof \SAML2\XML\ds\X509Data) {
$x509data[] = $thing;
}
}
if (count($x509data) != 1) {
$lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Data> element in <ds:KeyInfo> within <SubjectConfirmationData> allowed';
continue;
}
foreach ($x509data[0]->data as $thing) {
if ($thing instanceof \SAML2\XML\ds\X509Certificate) {
$x509cert[] = $thing;
}
}
if (count($x509cert) != 1) {
$lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Certificate> element in <ds:X509Data> within <SubjectConfirmationData> allowed';
continue;
}
$HoKCertificate = $x509cert[0]->certificate;
if ($HoKCertificate !== $clientCert) {
$lastError = 'Provided client certificate does not match the certificate bound to the Holder-of-Key assertion';
continue;
}
}
if ($scd->NotBefore && $scd->NotBefore > time() + 60) {
$lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore;
continue;
}
if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) {
$lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: ' . $scd->NotOnOrAfter;
continue;
}
if ($scd->Recipient !== NULL && $scd->Recipient !== $currentURL) {
$lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is ' . var_export($scd->Recipient, TRUE) . ', current URL is ' . var_export($currentURL, TRUE) . '.';
continue;
}
if ($scd->InResponseTo !== NULL && $response->getInResponseTo() !== NULL && $scd->InResponseTo !== $response->getInResponseTo()) {
$lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has ' . var_export($response->getInResponseTo(), TRUE) . ', SubjectConfirmationData has ' . var_export($scd->InResponseTo, TRUE) . '.';
continue;
}
$found = TRUE;
break;
}
if (!$found) {
throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: ' . $lastError);
}
/* As far as we can tell, the assertion is valid. */
/* Maybe we need to base64 decode the attributes in the assertion? */
if ($idpMetadata->getBoolean('base64attributes', FALSE)) {
$attributes = $assertion->getAttributes();
$newAttributes = array();
foreach ($attributes as $name => $values) {
$newAttributes[$name] = array();
foreach ($values as $value) {
foreach (explode('_', $value) as $v) {
$newAttributes[$name][] = base64_decode($v);
}
}
}
$assertion->setAttributes($newAttributes);
}
/* Decrypt the NameID element if it is encrypted. */
if ($assertion->isNameIdEncrypted()) {
try {
$keys = self::getDecryptionKeys($idpMetadata, $spMetadata);
} catch (Exception $e) {
throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
}
$blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
$assertion->decryptNameId($key, $blacklist);
SimpleSAML\Logger::debug('Decryption with key #' . $i . ' succeeded.');
$lastException = NULL;
break;
} catch (Exception $e) {
SimpleSAML\Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage());
$lastException = $e;
}
}
if ($lastException !== NULL) {
throw $lastException;
}
}
return $assertion;
}
/**
* @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\HTTP::isHTTPS() instead.
*/
public static function isHTTPS()
{
return \SimpleSAML\Utils\HTTP::isHTTPS();
}
/**
* Helper function for setting a cookie.
*
* @param string $name Name of the cookie.
* @param string|null $value Value of the cookie. Set this to null to delete the cookie.
*
* @return void
*/
private function _setConsentCookie($name, $value)
{
assert('is_string($name)');
assert('is_string($value) || is_null($value)');
$globalConfig = SimpleSAML_Configuration::getInstance();
$params = array('lifetime' => 90 * 24 * 60 * 60, 'path' => $globalConfig->getBasePath(), 'httponly' => false);
if (\SimpleSAML\Utils\HTTP::isHTTPS()) {
// Enable secure cookie for https-requests
$params['secure'] = true;
} else {
$params['secure'] = false;
}
\SimpleSAML\Utils\HTTP::setCookie($name, $value, $params, false);
}
<?php
/* Load simpleSAMLphp, configuration */
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getSessionFromRequest();
/* Check if valid local session exists.. */
if ($config->getBoolean('admin.protectindexpage', false)) {
SimpleSAML\Utils\Auth::requireAdmin();
}
$loginurl = SimpleSAML\Utils\Auth::getAdminLoginURL();
$isadmin = SimpleSAML\Utils\Auth::isAdmin();
$warnings = array();
if (!\SimpleSAML\Utils\HTTP::isHTTPS()) {
$warnings[] = '{core:frontpage:warnings_https}';
}
if ($config->getValue('secretsalt') === 'defaultsecretsalt') {
$warnings[] = '{core:frontpage:warnings_secretsalt}';
}
if (extension_loaded('suhosin')) {
$suhosinLength = ini_get('suhosin.get.max_value_length');
if (empty($suhosinLength) || (int) $suhosinLength < 2048) {
$warnings[] = '{core:frontpage:warnings_suhosin_url_length}';
}
}
$links = array();
$links_welcome = array();
$links_config = array();
$links_auth = array();
$links_federation = array();
$links_config[] = array('href' => \SimpleSAML\Utils\HTTP::getBaseURL() . 'admin/hostnames.php', 'text' => '{core:frontpage:link_diagnostics}');
$links_config[] = array('href' => \SimpleSAML\Utils\HTTP::getBaseURL() . 'admin/phpinfo.php', 'text' => '{core:frontpage:link_phpinfo}');
/**
* Retrieve the session ID saved in the session cookie, if there's one.
*
* @return string|null The session id saved in the cookie or null if no session cookie was set.
*
* @throws SimpleSAML_Error_Exception If the cookie is marked as secure but we are not using HTTPS.
*/
public function getCookieSessionId()
{
if (session_id() === '') {
if (!self::hasSessionCookie()) {
return null;
}
$session_cookie_params = session_get_cookie_params();
if ($session_cookie_params['secure'] && !\SimpleSAML\Utils\HTTP::isHTTPS()) {
throw new SimpleSAML_Error_Exception('Session start with secure cookie not allowed on http.');
}
$cacheLimiter = session_cache_limiter();
if (headers_sent()) {
/*
* session_start() tries to send HTTP headers depending on the configuration, according to the
* documentation:
*
* http://php.net/manual/en/function.session-start.php
*
* If headers have been already sent, it will then trigger an error since no more headers can be sent.
* Being unable to send headers does not mean we cannot recover the session by calling session_start(),
* so we still want to call it. In this case, though, we want to avoid session_start() to send any
* headers at all so that no error is generated, so we clear the cache limiter temporarily (no headers
* sent then) and restore it after successfully starting the session.
*/
session_cache_limiter('');
}
session_start();
session_cache_limiter($cacheLimiter);
}
return session_id();
}
/**
* Set a session cookie.
*
* @param string $sessionName The name of the session.
* @param string|null $sessionID The session ID to use. Set to null to delete the cookie.
* @param array|null $cookieParams Additional parameters to use for the session cookie.
*
* @throws \SimpleSAML\Error\CannotSetCookie If we can't set the cookie.
*/
public function setCookie($sessionName, $sessionID, array $cookieParams = null)
{
if ($cookieParams === null) {
$cookieParams = session_get_cookie_params();
}
if ($cookieParams['secure'] && !\SimpleSAML\Utils\HTTP::isHTTPS()) {
throw new \SimpleSAML\Error\CannotSetCookie('Setting secure cookie on plain HTTP is not allowed.', \SimpleSAML\Error\CannotSetCookie::SECURE_COOKIE);
}
if (headers_sent()) {
throw new \SimpleSAML\Error\CannotSetCookie('Headers already sent.', \SimpleSAML\Error\CannotSetCookie::HEADERS_SENT);
}
session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $cookieParams['domain'], $cookieParams['secure'], $cookieParams['httponly']);
if (session_id() !== '') {
// session already started, close it
session_write_close();
}
session_id($sessionID);
$this->sessionStart();
}
