** Changed in: mahara/15.10
Status: Fix Committed => Fix Released
** Changed in: mahara/15.04
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1566366
Title:
Session referer check should not be set if using SAML
Status in Mahara:
Fix Committed
Status in Mahara 1.10 series:
Fix Released
Status in Mahara 15.04 series:
Fix Released
Status in Mahara 15.10 series:
Fix Released
Status in Mahara 16.04 series:
Fix Released
Status in Mahara 16.10 series:
Fix Committed
Bug description:
I'm using the SAML plugin for authentication and I've noticed that
this change: https://reviews.mahara.org/#/c/5574/ introduces some new
settings for PHP's session handling that cause issues with the SAML
login process.
I believe only 16.04(rc1) is affected as that change is not present in
15.10.2.
The setting "session.referer_check" inteferes with the SAML login
process and as a result the login process fails and an error is
displayed to the user.
The particular line from the commit mentioned above is:
- htdocs/auth/session.php
ini_set('session.referer_check', get_config('wwwroot'));
This option should not be set for most users if they are using SAML as
an authentication method (in my case I am using a custom SAML auth
plugin). During the login process SAML will redirect the user away
from the wwwroot and when the user returns to Mahara the session data
is cleared. This causes the "populate" function in the "LiveUser"
class to attempt to create a new user using the default attributes
(empty fields for username/firstname/lastname/etc). In addition the
"usr" table does not have not have NOT NULL set on the username
attribute, so an entry is created in the database with a null username
causing various issues within Mahara.
I'd suggest adding a "session_referer_enabled" configuration option
(just in config.php) that defaults to the referer check being enabled.
This would allow it to easily be disabled by users who do not want it
set without having to manually edit the htdocs/auth/session.php file.
I'm not sure if there is a reason NOT_NULL is not set on the username
field but maybe this should be changed as well?
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1566366/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
