Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logic error in phpCAS::checkAuthentication(), having to do with $_SESSION['phpCAS']['auth_checked'] #35

Closed
WiredAcademic opened this issue Apr 5, 2012 · 3 comments
Closed

Logic error in phpCAS::checkAuthentication(), having to do with $_SESSION['phpCAS']['auth_checked'] #35

WiredAcademic opened this issue Apr 5, 2012 · 3 comments
Labels
Minor Bug
Milestone
1.3.1

Comments

@WiredAcademic
Copy link

Background:
phpCAS::checkAuthentication() has three parts in an IF-ELSEIF-ELSE statement.

  1. The first part short-circuits out of this function, if phpCAS::isAuthenticated() returns true.
  2. The second part removes the $_SESSION['phpCAS']['auth_checked'] variable when it is not needed anymore
  3. The last part assigns the $_SESSION['phpCAS']['auth_checked'] variable, and an $_SESSION['phpCAS']['auth_count'] variable to decide when to check again if the user was not logged in the first time.

Problem:
When the short-circuit occurs in the first part of the IF-ELSEIF-ELSE statement, the variable $_SESSION['phpCAS']['auth_checked'] remains set when it would otherwise be unset in the second part of the IF-ELSEIF-ELSE statement.

Here is what the snapshot that I have looks like:

public function checkAuthentication()
{
    phpCAS::traceBegin();
    $res = false;
    if ( $this->isAuthenticated() ) {
        phpCAS::trace('user is authenticated');
        $res = true;
    } else if (isset($_SESSION['phpCAS']['auth_checked'])) {
        // the previous request has redirected the client to the CAS server
        // with gateway=true
        unset($_SESSION['phpCAS']['auth_checked']);
        $res = false;
    } else {
...

Solution:
Here is what the change should probably include:

public function checkAuthentication()
{
    ...
    if ( $this->isAuthenticated() ) {
        phpCAS::trace('user is authenticated');
        /* Here is where the 'auth_checked' variable is removed just in case it's set. */
        /* The variable is also removed in the second part of the IF-ELSEIF-ELSE statement. */
        phpCAS::trace('Removing "auth_checked" in case it is set);
        unset($_SESSION['phpCAS']['auth_checked']);
        $res = true;
    } else if (isset($_SESSION['phpCAS']['auth_checked'])) {
...
@jfritschi
Copy link
Contributor

I think you are right. Have you had any issue with this part of the code? It's seems to me that it simply works since you are logged in in the "if" branch and doesn't really matter at that point anyway.

But it's an probably an error and could lead to other problems.

@WiredAcademic
Copy link
Author

I was trying to force the gateway check to occur each page load. I probably should have just written new methods, but I was curious to learn more how phpCAS::checkAuthentication() worked. I'm glad I tried it that way, because I learned a lot.

jfritschi added a commit that referenced this issue Apr 11, 2012
@jfritschi
#35 Unset gatway session variable on sucessfull authentication
5cab119
@jfritschi
Copy link
Contributor

@WiredAcademic: Thanks for the report.

Patch is commited.

This was referenced Jul 14, 2015
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Minor Bug
Projects
None yet
Milestone
1.3.1
Development

No branches or pull requests
2 participants
@jfritschi @WiredAcademic