Hi Jake, Thanks for the bug report! You are correct, not only does that "session.referer_check" kill SAML, it also means that if you navigate to your Mahara site via a link (say, from an email), you get logged out.
We put that in there because the patch was based on the recommendations in the PHP manual's "securing sessions" page: http://php.net/manual/en/session.security.php ... but that page also points out that the setting is only helpful if you've turned on session.use_trans_id. And we have always had session.use_trans_id turned off, therefore we don't also need session.referer_check. So, I will push a patch to get rid of that. Cheers, Aaron ** Also affects: mahara/1.10 Importance: Undecided Status: New ** Also affects: mahara/16.04 Importance: Undecided Status: New ** Also affects: mahara/16.10 Importance: Undecided Status: New ** Also affects: mahara/15.04 Importance: Undecided Status: New ** Also affects: mahara/15.10 Importance: Undecided Status: New ** Changed in: mahara/1.10 Milestone: None => 1.10.10 ** Changed in: mahara/15.04 Milestone: None => 15.04.7 ** Changed in: mahara/15.10 Milestone: None => 15.10.3 ** Changed in: mahara/16.04 Milestone: None => 16.04.0 ** Changed in: mahara/16.10 Milestone: None => 16.10.0 ** Changed in: mahara/1.10 Importance: Undecided => High ** Changed in: mahara/15.04 Importance: Undecided => High ** Changed in: mahara/15.10 Importance: Undecided => High ** Changed in: mahara/16.04 Importance: Undecided => High ** Changed in: mahara/16.10 Importance: Undecided => High ** Changed in: mahara/16.10 Status: New => In Progress ** Changed in: mahara/16.04 Status: New => In Progress ** Changed in: mahara/15.10 Status: New => In Progress ** Changed in: mahara/15.04 Status: New => In Progress ** Changed in: mahara/1.10 Status: New => In Progress ** Changed in: mahara/16.10 Assignee: (unassigned) => Aaron Wells (u-aaronw) ** Changed in: mahara/16.10 Importance: High => Critical ** Changed in: mahara/16.04 Importance: High => Critical -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1566366 Title: Session referer check should not be set if using SAML Status in Mahara: In Progress Status in Mahara 1.10 series: In Progress Status in Mahara 15.04 series: In Progress Status in Mahara 15.10 series: In Progress Status in Mahara 16.04 series: In Progress Status in Mahara 16.10 series: In Progress Bug description: I'm using the SAML plugin for authentication and I've noticed that this change: https://reviews.mahara.org/#/c/5574/ introduces some new settings for PHP's session handling that cause issues with the SAML login process. I believe only 16.04(rc1) is affected as that change is not present in 15.10.2. The setting "session.referer_check" inteferes with the SAML login process and as a result the login process fails and an error is displayed to the user. The particular line from the commit mentioned above is: - htdocs/auth/session.php ini_set('session.referer_check', get_config('wwwroot')); This option should not be set for most users if they are using SAML as an authentication method (in my case I am using a custom SAML auth plugin). During the login process SAML will redirect the user away from the wwwroot and when the user returns to Mahara the session data is cleared. This causes the "populate" function in the "LiveUser" class to attempt to create a new user using the default attributes (empty fields for username/firstname/lastname/etc). In addition the "usr" table does not have not have NOT NULL set on the username attribute, so an entry is created in the database with a null username causing various issues within Mahara. I'd suggest adding a "session_referer_enabled" configuration option (just in config.php) that defaults to the referer check being enabled. This would allow it to easily be disabled by users who do not want it set without having to manually edit the htdocs/auth/session.php file. I'm not sure if there is a reason NOT_NULL is not set on the username field but maybe this should be changed as well? To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1566366/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
