New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parameterizable session subname #68
Comments
I think this issue might already be fixed if we implement #67. The way the session cookies are set up currently they are do not include a subdirectory in the session cookie. If #67 is implemented and your widgets would be split into different subdirectories (app1/ and app2/) a session cookie for one application would not interfere with the other. (provided you configure the cookies properly with the new hardening feature) Would that already fix your problem? |
Yeah but I have one widget for multiple CAS server. So the path is the same... |
I think this idea makes sense to fix this in general. I will have a look at it and aim for an implementation somewhere down the road. I will check over the weekend how much effort this will actually take. |
one server by adding the CAS server url to the phpcas session cookie as new variable
Please test the master branch and provide some feedback. It should work automagically since the cas server url is simply added to the cookie variables. |
Single logout is pretty certain not work properly and there is no way to fix it. A single log out call from one CAS server will kill all phpcas sessions (if you have single logout enabled). And any forced local calls to the phpCAS::logout*() functions will also do the same. They will kill all sessions. |
The logout() problem should be fixed. Single sign out will not be fixable on our end. The way PHP and phpcas work (stateless without database) there is no way to fix this. This can only be fixed with the single sign out callback handlers if you have some kind of persistence storage. |
Yeah but I'm using a call back for logout with rename session to false. |
Works fine for me. But one thing that can be nice is to expose function function myLogoutCallbackFunction()
{
unset($_SESSION['phpCAS'][$casClient->getServerBaseUrl()]);
} |
In my view this will not work. The single logout depends on the callback with the ST and restoring the session with a matching name and then logging out. I don't think this is possible in your use case because a logout callback does not know which session to log out. Also logout() does exactly what you are proposing. |
I have one callback per server, so different instance of client is load depending of the callback. So in my case I can know which session I have to flush. But Moreover do you think that is possible to retrieve referer when recieve SAML logout POST request and flush the session using the referer? |
Yes you can identify the server through the instance or URL you are using. But since the logout call is coming from the CAS server and not the user there is no way to match the call to a session (no cookie). The logout call only contains the ST that you have to use to find the right user session to terminate. This is done by having the ST as the session name. The function |
Yeah I told bullshit... You'r true about SSOut. But without SSOut the feature is working. I will think about a kind of mapping between session to be able to delete or override user (server side) session |
About SSOut, it's may a bad idea but it's works if you create a session per CAS server using session_name(). You must keep cf. https://github.com/kakawait/phpCAS/commit/67573b3c667f4fbf9e6e81f9729ab973f9dd18d0 (based on branch 1.3 stable). I would like to know your opinion. |
I don't think you can have multiple sessions with one user. The only alternative are multiple normal cookies but this does not help because there is no server side storage of cookies. |
It's possible to use multiple sessions for one user. With this feature (that finally don't need any modification inside phpCAS lib) I can have multi widget on different passport with SSOut working. Take two widgets:
Both widget are loaded on the same webpage of my application (here
and if you have a third widget using CASserverA the serviceUrl/callbackUrl are the same as WidgetA:
But in term of code implementation widget are using the same code, just config are different depending of the URL. session_name(getCasServerBaseUri());
$client = new phpCAS();
// Note that last parameter $changeSessionID must be true or SSOut won't works
$client->proxy($version, $host, $port, $casUri, true);
... Thereby user will have two sessions
In this configuration widget authentication works now let's looks about SSOut flow process. So the Thus next time the user comes back with it's To conclude, this way to do works on my case (implem & tested) so I don't need anymore the multiCAS session on the same session because I will have a session per server. |
Using the session name makes sense. I guess i should change this in phpCAS and adopt your approach. |
You will rollback the code ? And main davantage of using session name is that no development is needed on phpCas (the branch that i refer previously is useless, just put session name before instantiate phpCas is enough) |
… client on one server by adding the CAS server url to the phpcas session cookie as new variable" This reverts commit c3cb3ab.
In some case, we need to test more than on CAS server Looks near to apereo#68 ```php /* Check different CAS */ for ($i = 0; $i < $nb_server; $i++) { //Init connection phpCAS::client(CAS_VERSION_2_0,$config[$i]['host'],$config[$i]['port'],$config[$i]['uri'],true,true); phpCAS::setNoCasServerValidation(); //Check authentification if ($auth = phpCAS::checkAuthentication()) { echo "server $i is ok" break; } } ```
Hi,
I have a case where an application can provide proxy authentication with many CAS server.
Thus on my application
myapp.com
, frontend developer is able to use multiple CAS server to point service under different CAS server.The main problem, today, is when
user1
launch widget usingcas1.com
server and instantiate another widget that usescas2.com
so the first session is override.This behavior is due to the way to store auth inside session. Indeed phpCAS client stores auth inside
$_SESSION['phpCAS']
so there is just one auth possible at the same time.With parameterizable session subname we can imagine something like:
or maybe better splitting like
The text was updated successfully, but these errors were encountered: