Code example:
<?php
require_once(DRUPAL_ROOT . '/simplesaml/lib/_autoload.php');
session_write_close();
session_set_save_handler(new SessionHandler(), true);
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
$samlSession = \SimpleSAML\Session::getSessionFromRequest();
$samlSession->cleanup();
$_SESSION['saml'] = $attributes; // <-- this does not work, since altering $_SESSION at this point is useless. reading out $_SESSION on a another page does not have anything saved after calling the SimpleSAMLphp functions
We are using SimpleSAMLphp on our website as SP to use with a Shibboleth IDP. The server cant run the apache modules or memcache so we need to use PHP sessions. On the simplesamlphp documentation it says:
If we are using PHP sessions in SimpleSAMLphp and in the application we are protecting, SimpleSAMLphp will close any existing session when invoked for the first time, and its own session will prevail afterwards. If you want to restore your own session after calling SimpleSAMLphp, you can do so by cleaning up the session like this:
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
If you don't cleanup SimpleSAMLphp's session and try to use $_SESSION afterwards, you won't be using your own session and all your data is likely to get lost or inaccessible.
The problem is, that is exactly the issue we are facing. Whatever I write into $_SESSION
after loading the SSP files is lost at the new page request.
Now, we are using Drupal 7. I dont know how to implement the documentation code in a Drupal environment:
// use custom save handler
session_set_save_handler($handler); // what is this? what is $handler?
session_start();
// close session and restore default handler
session_write_close();
session_set_save_handler(new SessionHandler(), true);
// use SimpleSAML\Session
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
session_write_close();
// back to custom save handler
session_set_save_handler($handler); // how do i get the Drupal handler?
session_start();
So how do I implement the session swapping in a Drupal 7 environment? Or generally, how do I get a session handler/ reference?
Drupal itself does this at some point in session.inc
:
session_set_save_handler('_drupal_session_open', '_drupal_session_close', '_drupal_session_read', '_drupal_session_write', '_drupal_session_destroy', '_drupal_session_garbage_collection');
But calling any Drupal session function didnt work, $_SESSION
was always unwritable (or rather didnt actually save) after using SimpleSAMLphp.
from How to pickup old session handling from Drupal after using SimpleSAMLphp?
No comments:
Post a Comment