Skip to content

Commit

Permalink
MDL-61351 shibboleth: Logout: fix session handler class not being used
Browse files Browse the repository at this point in the history 
* use $CFG->session_handler_class to determine which type of session is
  used
* if not set, use $CFG->dbsession instead
  • Loading branch information
@t-schroeder @mdjnelson
t-schroeder authored and mdjnelson committed Jul 17, 2018
1 parent 8c51626 commit 1e737e3
Showing 1 changed file with 72 additions and 45 deletions.
117 changes: 72 additions & 45 deletions auth/shibboleth/logout.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,64 +127,90 @@
* @return SoapFault or void if everything was fine
*/
function LogoutNotification($spsessionid) {

global $CFG, $SESSION, $DB;
global $CFG;

// Delete session of user using $spsessionid.
if(empty($CFG->dbsessions)) {

// File session
$dir = $CFG->dataroot .'/sessions';
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
// Read all session files
while (($file = readdir($dh)) !== false) {
// Check if it is a file
if (is_file($dir.'/'.$file)){
$session_key = preg_replace('/sess_/', '', $file);

// Read session file data
$data = file($dir.'/'.$file);
if (isset($data[0])){
$usersession = unserializesession($data[0]);

// Check if we have found session that shall be deleted
if (isset($usersession['SESSION']) && isset($usersession['SESSION']->shibboleth_session_id)) {

// If there is a match, delete file
if ($usersession['SESSION']->shibboleth_session_id == $spsessionid) {
// Delete session file
if (!unlink($dir.'/'.$file)){
return new SoapFault('LogoutError', 'Could not delete Moodle session file.');
}
// The setting $CFG->session_handler_class may not be set. But if it is,
// it should override $CFG->dbsessions.
if (!empty($CFG->session_handler_class)) {
$sessionclass = $CFG->session_handler_class;
if (preg_match('/database/i', $sessionclass) === 1) {
return logoutdbsession($spsessionid);
} else if (preg_match('/file/i', $sessionclass) === 1) {
return logoutfilesession($spsessionid);
} else {
throw new moodle_exception("Shibboleth logout not implemented for '$sessionclass'");
}
} else {
// Session handler class is not specified, check dbsessions instead.
if (!empty($CFG->dbsessions)) {
return logoutdbsession($spsessionid);
}
// Assume file sessions if dbsessions isn't used.
return logoutfilesession($spsessionid);
}
// If no SoapFault was thrown, the function will return OK as the SP assumes.
}

// Delete session of user using $spsessionid.
function logoutfilesession($spsessionid) {
global $CFG;

if (!empty($CFG->session_file_save_path)) {
$dir = $CFG->session_file_save_path;
} else {
$dir = $CFG->dataroot . '/sessions';
}

if (is_dir($dir)) {
if ($dh = opendir($dir)) {
// Read all session files.
while (($file = readdir($dh)) !== false) {
// Check if it is a file.
if (is_file($dir.'/'.$file)) {

// Read session file data.
$data = file($dir.'/'.$file);
if (isset($data[0])) {
$usersession = unserializesession($data[0]);

// Check if we have found session that shall be deleted.
if (isset($usersession['SESSION']) && isset($usersession['SESSION']->shibboleth_session_id)) {

// If there is a match, delete file.
if ($usersession['SESSION']->shibboleth_session_id == $spsessionid) {
// Delete session file.
if (!unlink($dir.'/'.$file)) {
return new SoapFault('LogoutError', 'Could not delete Moodle session file.');
}
}
}
}
}
closedir($dh);
}
closedir($dh);
}
} else {
// DB Sessions.
$sessions = $DB->get_records_sql(
'SELECT userid, sessdata FROM {sessions} WHERE timemodified > ?',
array(time() - $CFG->sessiontimeout)
);
foreach ($sessions as $session) {
// Get user session from DB.
if (session_decode(base64_decode($session->sessdata))) {
if (isset($_SESSION['SESSION']) && isset($_SESSION['SESSION']->shibboleth_session_id)) {
// If there is a match, kill the session.
if ($_SESSION['SESSION']->shibboleth_session_id == trim($spsessionid)) {
// Delete this user's sessions.
\core\session\manager::kill_user_sessions($session->userid);
}
}
}

function logoutdbsession($spsessionid) {
global $CFG, $DB;
$sessions = $DB->get_records_sql(
'SELECT userid, sessdata FROM {sessions} WHERE timemodified > ?',
array(time() - $CFG->sessiontimeout)
);
foreach ($sessions as $session) {
// Get user session from DB.
if (session_decode(base64_decode($session->sessdata))) {
if (isset($_SESSION['SESSION']) && isset($_SESSION['SESSION']->shibboleth_session_id)) {
// If there is a match, kill the session.
if ($_SESSION['SESSION']->shibboleth_session_id == trim($spsessionid)) {
// Delete this user's sessions.
\core\session\manager::kill_user_sessions($session->userid);
}
}
}
}
// If no SoapFault was thrown, the function will return OK as the SP assumes.
}

/*****************************************************************************/
Expand All @@ -199,3 +225,4 @@ function unserializesession($serialized_string) {
}
return $variables;
}

0 comments on commit 1e737e3

Please sign in to comment.