From ccc18b4b1cfc754e3367c7a60a4b7d9a71e28cc2 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Wed, 07 Aug 2019 15:13:32 +0000 Subject: [PATCH] Regenerate session ID before setting authentication data --- uphpCAS.php | 19 +++++++++++++------ 1 files changed, 13 insertions(+), 6 deletions(-) diff --git a/uphpCAS.php b/uphpCAS.php index d073771..1633119 100644 --- a/uphpCAS.php +++ b/uphpCAS.php @@ -122,10 +122,14 @@ .($returnUrl ? '?service='.urlencode($returnUrl) : ''); } + public function logoutLocal() { + @session_start(); + unset($_SESSION[$this->sessionName]); + } + public function logout($returnUrl = NULL) { - session_start(); + $this->logoutLocal(); if($this->isAuthenticated()) { - unset($_SESSION[$this->sessionName]); header('Location: '.$this->logoutUrl($returnUrl)); die(); } elseif($returnUrl) { @@ -139,11 +143,12 @@ } public function authenticate() { - session_start(); + @session_start(); if($this->isAuthenticated()) { return $_SESSION[$this->sessionName]; } elseif(isset($_REQUEST['ticket'])) { $user = $this->verifyTicket($_REQUEST['ticket']); + session_regenerate_id(); $_SESSION[$this->sessionName] = $user; return $user; } else { @@ -228,13 +233,15 @@ } } } catch(Exception $e) { - throw new JasigException('Authentication error: CAS server' - .' response invalid - parse error', 0, $e); - } finally { libxml_clear_errors(); libxml_disable_entity_loader($xmlEntityLoader); libxml_use_internal_errors($xmlInternalErrors); + throw new JasigException('Authentication error: CAS server' + .' response invalid - parse error', 0, $e); } + libxml_clear_errors(); + libxml_disable_entity_loader($xmlEntityLoader); + libxml_use_internal_errors($xmlInternalErrors); $failure = $xml->getElementsByTagName('authenticationFailure'); $success = $xml->getElementsByTagName('authenticationSuccess'); -- Gitblit v1.9.1