Hilfsskripte

Alle hier aufgeführten Skripte sind beispielhaft und müssen ggf. angepasst werden.

Sorgt für den notwendigen zusätzlichen Request beim SessionHook.

checker.php
<?php
//redirect to application
header('Location: '.$_GET['return']);
?>
initsess.php
<?php
//initialize application session
session_start();
//applicationpath
$path = "Path/to/NORMALAPPLICATION";
//and redirect to application
$redirect = "https://".$_SERVER['SERVER_NAME']."/$path";
header('Location: '.$redirect);
?>

Dieses Skript entfernt die Anwendungs-Session via Back-Channel und die Cookies via Front-Channel.

logoutnotify.php
<?php
// Sample PHP 5 Shibboleth logout code by lukas.haemmerle@switch.change_user
// History:
// - December 8 2008:    Uploaded initial version that also was used for Moodle
 
// 2015: Changes for Shibchecker by frank.schreiterer@uni-bamberg.de
 
// Just for debugging the WSDL part
ini_set("soap.wsdl_cache_enabled", "0"); // disabling WSDL cache
 
/************************************************/
/* Sample code to log out user from application */
/************************************************/
 
// Requirements:
// PHP 5 with SOAP support (should be available in default deployment)
// PHP 5 memcache not memcached!!!
 
 
 
/* Note:
 * 
 * It is possible to call the Notify-hook twice in shibboleth2.xml 
 * <Notify Channel="back" Location="URI_TO/logoutnotify.php" />
 * <Notify Channel="front" Location="URI_TO/logoutnotify.php" />
 * 
 * So we do this and implement on front channel only the destruction for the application cookies an
 * on back channel the destruction for the application session an the removal of database / memcached - entries 
 * from the shibshecker RewriteMap in our apache configuration.
 * 
 * The connection parameters to the shibcheckerdb / memcached are set in function LogoutNotification.
*/
 
 
//////////////////////////
// Front channel logout //
//////////////////////////
 
// Note: Generally the back-channel logout should be used once the Shibboleth
//       Identity Provider supports Single Log Out!
//       Front-channel logout is not of much use.
 
if (
        isset($_GET['return'])
        && isset($_GET['action'])
        && $_GET['action'] == 'logout'
   ){
 
	//Only destroy application cookie via front channel and destroy the application session via back channel
 
    // Destroy PHP-session-cookie cookie
    if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-42000, '/');
    }
 
    // Finally, send user to the return URL
    header('Location: '.$_GET['return']);    
    exit;
}
 
/////////////////////////
// Back channel logout //
/////////////////////////
 
// Note: This is the preferred logout channel because it also allows
//       administrative logout. However, it requires your application to be
//       adapated in the sense that the user's Shibboleth session ID must be
//       stored in the application's session data.
//       See function LogoutNotification below
 
elseif (!empty(file_get_contents("php://input"))) {
    // Set SOAP header
    $server = new SoapServer('https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl');
    $server->addFunction("LogoutNotification");
    $server->handle();
}
 
/////////////////
// Return WSDL //
/////////////////
 
// Note: This is needed for the PHP SoapServer class.
//       Since I'm not a web service guru it might be that the code below is not
//       absolutely correct but at least it seems to to its job properly when it
//       comes to Shibboleth logout
 
else {
 
    header('Content-Type: text/xml');
 
    echo <<<WSDL
<?xml version ="1.0" encoding ="UTF-8" ?>
<definitions name="LogoutNotification"
  targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
  xmlns:notify="urn:mace:shibboleth:2.0:sp:notify"
  xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
  xmlns="http://schemas.xmlsoap.org/wsdl/">
 
    <types>
       <schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
           xmlns="http://www.w3.org/2000/10/XMLSchema"
           xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">
 
            <simpleType name="string">
                <restriction base="string">
                    <minLength value="1"/>
                </restriction>
            </simpleType>
 
            <element name="OK" type="notify:OKType"/>
            <complexType name="OKType">
                <sequence/>
            </complexType>
 
        </schema>
    </types>
 
    <message name="getLogoutNotificationRequest">
        <part name="SessionID" type="notify:string" />
    </message>
 
    <message name="getLogoutNotificationResponse" >
        <part name="OK"/>
    </message>
 
    <portType name="LogoutNotificationPortType">
        <operation name="LogoutNotification">
            <input message="getLogoutNotificationRequest"/>
            <output message="getLogoutNotificationResponse"/>
        </operation>
    </portType>
 
    <binding name="LogoutNotificationBinding" type="notify:LogoutNotificationPortType">
        <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
        <operation name="LogoutNotification">
            <soap:operation soapAction="urn:xmethods-logout-notification#LogoutNotification"/>
        </operation>
    </binding>
 
    <service name="LogoutNotificationService">
          <port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
            <soap:address location="https://{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"/>
          </port>
    </service>
</definitions>
WSDL;
    exit;
 
}
 
/******************************************************************************/
/// This function does the actual logout
function LogoutNotification($SessionID){
 
    // Delete session of user using $SessionID to locate the user's session file
    // on the file system or in the database
    // Then delete this entry or record to clear the session
    // However, for that to work it is essential that the user's Shibboleth
    // SessionID is stored in the user session data!
 
	//connection parameters to memcached
	$mcsrv="127.0.0.1";
	$mcport="11211";
 
	$mc=new Memcache;
	$mc->connect($mcsrv,$mcport);
	//get the application session id
	$appsessionid = $mc->get($SessionID);
	//remove 
	$ret = $mc-> delete($SessionID);
	$ret = $mc-> delete($appsessionid);
	if ($appsessionid == false) {
		$appsessionid = "";
	}
 
	//Connect to the application session (PHP Session)
	session_id($appsessionid);
	session_start();
	//and destroy
	$_SESSION = array();
	session_destroy();	
}
 
?>
remsess.php
<?php
 
/*
	This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
    Copyright 2015 Frank Schreiterer, University of Bamberg, Computing Centre     
*/ 
 
function removeMemcached($destid) {
	$mcsrv="127.0.0.1";
	$mcport="11211";
	$mc=new Memcache;
	$mc->connect($mcsrv,$mcport);
	$stats = $mc->getExtendedStats();
    $list = array();
    #memcached auslesen und bei passendem Wert den Key entfernen
    $allSlabs = $mc->getExtendedStats('slabs');
    $items = $mc->getExtendedStats('items');
    foreach($allSlabs as $server => $slabs) {
        foreach($slabs AS $slabId => $slabMeta) {
			if (is_numeric($slabId)) {
				$cdump = $mc->getExtendedStats('cachedump',(int)$slabId);
				foreach($cdump AS $keys => $arrVal) {
					if (!is_array($arrVal)) continue;
					foreach($arrVal AS $k => $v) { 
						$get = $mc->get($k);     
						if ($get == $destid) {            
							$ret = $mc->delete($k);
						}
					}
				}	
			}		
        }
    } 		
    #und bei mixedLazy den Sicherungseintrag zur destid
    $ret = $mc->delete($destid);
	$mc->close();		
}
 
#eine böse Anwendungs-Session-ID zerstören
if (isset($_REQUEST['appsid'])) {
	$destid = $_REQUEST['appsid'];
	if ($destid != "") {
		session_id($destid);
		removeMemcached($destid);
		session_start();		
		session_destroy();		
	}
}
 
session_start();
$serverurl="https://".$_SERVER['SERVER_NAME'];
if (isset($_REQUEST['shibloggedoff'])) {	
	$shiblogoff = $_REQUEST['shibloggedoff'];
	if ($shiblogoff == "true") {
		echo "Sie wurden abgemeldet.<br><br>Erneut <a href=\"$serverurl/PATH/TO/Login\">anmelden</a><br>";		
	}
} else {
 
	$destid = session_id();
	removeMemcached($destid);	
 
	$url="$serverurl/Shibboleth.sso/Logout?return=$serverurl/PATH/TO/remsess.php?shibloggedoff=true";
	header('Location: '.$url);
}
 
session_destroy();
#SessionCookie löschen
setcookie(session_name(),"",time() -3600,"/");
?>
  • Zuletzt geändert: vor 6 Jahren