Session referer check should not be set if using SAML
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Unassigned | ||
1.10 |
Fix Released
|
Critical
|
Unassigned | ||
15.04 |
Fix Released
|
Critical
|
Unassigned | ||
15.10 |
Fix Released
|
Critical
|
Unassigned | ||
16.04 |
Fix Released
|
Critical
|
Unassigned | ||
16.10 |
Fix Released
|
Critical
|
Aaron Wells |
Bug Description
I'm using the SAML plugin for authentication and I've noticed that this change: https:/
I believe only 16.04(rc1) is affected as that change is not present in 15.10.2.
The setting "session.
The particular line from the commit mentioned above is:
- htdocs/
ini_set(
This option should not be set for most users if they are using SAML as an authentication method (in my case I am using a custom SAML auth plugin). During the login process SAML will redirect the user away from the wwwroot and when the user returns to Mahara the session data is cleared. This causes the "populate" function in the "LiveUser" class to attempt to create a new user using the default attributes (empty fields for username/
I'd suggest adding a "session_
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Hi Jake,
Thanks for the bug report! You are correct, not only does that "session. referer_ check" kill SAML, it also means that if you navigate to your Mahara site via a link (say, from an email), you get logged out.
We put that in there because the patch was based on the recommendations in the PHP manual's "securing sessions" page: http:// php.net/ manual/ en/session. security. php
... but that page also points out that the setting is only helpful if you've turned on session. use_trans_ id. And we have always had session. use_trans_ id turned off, therefore we don't also need session. referer_ check.
So, I will push a patch to get rid of that.
Cheers,
Aaron