mahara-contributors team mailing list archive

Thread
Date

[Bug 1566366] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1566366@xxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Apr 2016 03:03:04 -0000
Reply-to: Bug 1566366 <1566366@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6326
Committed: https://git.mahara.org/mahara/mahara/commit/91807920f4fb2981e1faa4978342d07674590d18
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    master

commit 91807920f4fb2981e1faa4978342d07674590d18
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Tue Apr 12 15:46:28 2016 +1200

Remove session.referer_check (Bug 1566366)

This setting kills your Mahara session whenever you navigate
to Mahara from a link or redirect on another page. This totally
prevents SAML and other redirect-based auth methods from working,
makes it annoying to use links in email, and while it is mentioned
on the PHP manual's "Securing Sessions" page, it's only
recommended there if you also have "session.use_trans_id" enabled,
which we do not.

Change-Id: I8b3b14bae8043c5004cc8f36766f2db9422eac1c
behatnotneeded: Can't be tested by behat

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1566366

Title:
  Session referer check should not be set if using SAML

Status in Mahara:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 15.10 series:
  Fix Committed
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  I'm using the SAML plugin for authentication and I've noticed that
  this change: https://reviews.mahara.org/#/c/5574/ introduces some new
  settings for PHP's session handling that cause issues with the SAML
  login process.

  I believe only 16.04(rc1) is affected as that change is not present in
  15.10.2.

  The setting "session.referer_check" inteferes with the SAML login
  process and as a result the login process fails and an error is
  displayed to the user.

  The particular line from the commit mentioned above is:

   - htdocs/auth/session.php
  ini_set('session.referer_check', get_config('wwwroot'));

  This option should not be set for most users if they are using SAML as
  an authentication method (in my case I am using a custom SAML auth
  plugin). During the login process SAML will redirect the user away
  from the wwwroot and when the user returns to Mahara the session data
  is cleared. This causes the "populate" function in the "LiveUser"
  class to attempt to create a new user using the default attributes
  (empty fields for username/firstname/lastname/etc). In addition the
  "usr" table does not have not have NOT NULL set on the username
  attribute, so an entry is created in the database with a null username
  causing various issues within Mahara.

  I'd suggest adding a "session_referer_enabled" configuration option
  (just in config.php) that defaults to the referer check being enabled.
  This would allow it to easily be disabled by users who do not want it
  set without having to manually edit the htdocs/auth/session.php file.
  I'm not sure if there is a reason NOT_NULL is not set on the username
  field but maybe this should be changed as well?

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1566366/+subscriptions

References

[Bug 1566366] [NEW] Session referer check should not be set if using SAML
From: Jake Blatchford, 2016-04-05