You are here

function shib_auth_session_check in Shibboleth Authentication 6.4

Same name and namespace in other branches
  1. 7.4 shib_auth.module \shib_auth_session_check()

This function would destroy the session if

  • the shib session is expired and auto_destroy_session is enabled
  • the username has changed unexpectedly

Parameters

username (might be null):

Return value

FALSE if the session was invalid and therefore destroyed TRUE if either there's a valid shib session or we allow stale Drupal sessions

1 call to shib_auth_session_check()
shib_auth_init in ./shib_auth.module
Create a new user based on informations from the Shibboleth handler if it's necessary or log in.

File

./shib_auth.module, line 159
Drupal Shibboleth authentication module.

Code

function shib_auth_session_check($uname) {
  global $user;

  // if the user IS logged in as non-admin, but we're missing Shibboleth identity
  if (!shib_auth_session_valid() && $_SESSION['shib_auth_authentication'] == 'shib_auth' && shib_auth_config('auto_destroy_session') && $user->uid > 1) {
    shib_auth_terminate_session('Your session is expired. Please log in again.');
    return FALSE;
  }
  if (isset($_SESSION['shib_auth_username'])) {
    if ($_SESSION['shib_auth_username'] != $uname && empty($_SESSION['shib_auth_account_linking'])) {

      /*  See SA-CONTRIB-2009-070
          If we reach here, a new federated user was given an existing Drupal session of
          an old user. This can happen when using Single Logout.
          Probably we should try and re-register the new user instead of just kicking him out,
          but for now just terminate the session for safety.
          This means that the new user has to initiate the session twice.
          However, we allow account linking, if the account_linking session variable had been set
          */
      shib_auth_terminate_session();
      return FALSE;
    }
  }
  else {
    if ($uname) {
      $_SESSION['shib_auth_username'] = $uname;
    }
  }
  return TRUE;
}