function shib_auth_session_check in Shibboleth Authentication 6.4
Same name and namespace in other branches
- 7.4 shib_auth.module \shib_auth_session_check()
This function would destroy the session if
- the shib session is expired and auto_destroy_session is enabled
- the username has changed unexpectedly
Parameters
username (might be null):
Return value
FALSE if the session was invalid and therefore destroyed TRUE if either there's a valid shib session or we allow stale Drupal sessions
1 call to shib_auth_session_check()
- shib_auth_init in ./
shib_auth.module - Create a new user based on informations from the Shibboleth handler if it's necessary or log in.
File
- ./
shib_auth.module, line 159 - Drupal Shibboleth authentication module.
Code
function shib_auth_session_check($uname) {
global $user;
// if the user IS logged in as non-admin, but we're missing Shibboleth identity
if (!shib_auth_session_valid() && $_SESSION['shib_auth_authentication'] == 'shib_auth' && shib_auth_config('auto_destroy_session') && $user->uid > 1) {
shib_auth_terminate_session('Your session is expired. Please log in again.');
return FALSE;
}
if (isset($_SESSION['shib_auth_username'])) {
if ($_SESSION['shib_auth_username'] != $uname && empty($_SESSION['shib_auth_account_linking'])) {
/* See SA-CONTRIB-2009-070
If we reach here, a new federated user was given an existing Drupal session of
an old user. This can happen when using Single Logout.
Probably we should try and re-register the new user instead of just kicking him out,
but for now just terminate the session for safety.
This means that the new user has to initiate the session twice.
However, we allow account linking, if the account_linking session variable had been set
*/
shib_auth_terminate_session();
return FALSE;
}
}
else {
if ($uname) {
$_SESSION['shib_auth_username'] = $uname;
}
}
return TRUE;
}