function shib_auth_session_check in Shibboleth Authentication 7.4
Same name and namespace in other branches
- 6.4 shib_auth.module \shib_auth_session_check()
Destroys the user session under certain conditions.
This function would destroy the session if:
- the shib session is expired and auto_destroy_session is enabled
- the username has changed unexpectedly.
Parameters
string $uname: Username (might be null).
Return value
bool FALSE if the session was invalid and therefore destroyed, TRUE if either there's a valid shib session or we allow stale Drupal sessions.
1 call to shib_auth_session_check()
- shib_auth_init in ./
shib_auth.module - Creates a new user, if necessary, based on information from the handler.
File
- ./
shib_auth.module, line 170 - Drupal Shibboleth authentication module.
Code
function shib_auth_session_check($uname) {
global $user;
// If the user IS logged in as non-admin, but we're missing Shibboleth
// identity.
if (!shib_auth_session_valid() && isset($_SESSION['shib_auth_authentication']) && $_SESSION['shib_auth_authentication'] == 'shib_auth' && shib_auth_config('auto_destroy_session') && $user->uid > 1) {
shib_auth_terminate_session('Your session is expired. Please log in again.');
return FALSE;
}
if (isset($_SESSION['shib_auth_username'])) {
if ($_SESSION['shib_auth_username'] != $uname && empty($_SESSION['shib_auth_account_linking'])) {
/* See SA-CONTRIB-2009-070
If we reach here, a new federated user was given an existing Drupal
session of an old user. This can happen when using Single Logout.
Probably we should try and re-register the new user instead of just
kicking him out, but for now just terminate the session for safety.
This means that the new user has to initiate the session twice.
However, we allow account linking, if the account_linking session variable
had been set.
*/
shib_auth_terminate_session();
return FALSE;
}
}
else {
if ($uname) {
$_SESSION['shib_auth_username'] = $uname;
}
}
return TRUE;
}