Skip to content
Browse files

Add smart_ssl mode

In this mode, IDs can be specified with HTTPS and HTTP, but authentication is
always done via HTTPS.
  • Loading branch information...
1 parent aa8ef6d commit 5006dc27ccd4e7aec8979672e13b0df5b131ebe2 @adrianheine committed
Showing with 21 additions and 6 deletions.
  1. +20 −6 engine.php
  2. +1 −0 index.php
View
26 engine.php
@@ -542,11 +542,18 @@ function checkid ( $wait ) {
wrap_refresh(wrap_param($profile['idp_url'],'openid.mode=accept'));
}
+ $requested_identity = $identity;
// make sure i am this identifier
if ($identity != $profile['idp_url']) {
- debug("Invalid identity: $identity");
- debug("IdP URL: " . $profile['idp_url']);
- error_get($return_to, "Invalid identity: '$identity'");
+ // If mismatch is only in protocol, ignore
+ if ($profile['smart_ssl'] && substr($identity, strpos($identity, ':') + 1) ==
+ substr($profile['idp_url'], strpos($profile['idp_url'], ':') + 1)) {
+ $identity = $profile['idp_url'];
+ } else {
+ debug("Invalid identity: $identity");
+ debug("IdP URL: " . $profile['idp_url']);
+ error_get($return_to, "Invalid identity: '$identity' expected {$profile['idp_url']}");
+ }
}
// begin setting up return keys
@@ -608,7 +615,7 @@ function checkid ( $wait ) {
list ($assoc_handle, $shared_secret) = new_assoc($lifetime);
}
- $keys['identity'] = $profile['idp_url'];
+ $keys['identity'] = $requested_identity;
$keys['assoc_handle'] = $assoc_handle;
$keys['return_to'] = $return_to;
@@ -735,7 +742,7 @@ function logout_mode () {
function no_mode () {
global $profile, $sreg, $proto, $html, $reldir;
- user_session();
+ user_session(false);
$demo_name = $proto . '://' . $_SERVER['SERVER_NAME'] . $reldir . 'joe';
$user_name = ($sreg['fullname'] == '') ? $sreg['nickname'] : $sreg['fullname'];
@@ -1665,9 +1672,16 @@ function url_descends ( $child, $parent ) {
* @global array $profile
* @global array $proto
*/
-function user_session () {
+function user_session ($really_try = true) {
global $proto, $profile;
+ if ($profile['smart_ssl']) {
+ if ($really_try && !($_SERVER['HTTPS'] && $_SERVER['HTTPS'] !== 'off')) {
+ header('Location: https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
+ exit();
+ }
+ session_set_cookie_params(0, '/', '', true, true);
+ }
session_name('OpenIDLdap_Server');
@session_start();
View
1 index.php
@@ -36,6 +36,7 @@
# 'lifetime' => 1440,
# 'paranoid' => false, # EXPERIMENTAL
# 'force_ssl' => false, # EXPERIMENTAL
+# 'smart_ssl' => false, # EXPERIMENTAL
# Logging Config - Please see README before setting these
# 'debug' => false,

0 comments on commit 5006dc2

Please sign in to comment.
Something went wrong with that request. Please try again.