Hilfsskripte
Alle hier aufgeführten Skripte sind beispielhaft und müssen ggf. angepasst werden.
checker.php
Sorgt für den notwendigen zusätzlichen Request beim SessionHook.
- checker.php
<?php //redirect to application header('Location: '.$_GET['return']); ?>
initsess.php
- initsess.php
<?php //initialize application session session_start(); //applicationpath $path = "Path/to/NORMALAPPLICATION"; //and redirect to application $redirect = "https://".$_SERVER['SERVER_NAME']."/$path"; header('Location: '.$redirect); ?>
logoutnotify.php
Dieses Skript entfernt die Anwendungs-Session via Back-Channel und die Cookies via Front-Channel.
- logoutnotify.php
<?php // Sample PHP 5 Shibboleth logout code by lukas.haemmerle@switch.change_user // History: // - December 8 2008: Uploaded initial version that also was used for Moodle // 2015: Changes for Shibchecker by frank.schreiterer@uni-bamberg.de // Just for debugging the WSDL part ini_set("soap.wsdl_cache_enabled", "0"); // disabling WSDL cache /************************************************/ /* Sample code to log out user from application */ /************************************************/ // Requirements: // PHP 5 with SOAP support (should be available in default deployment) // PHP 5 memcache not memcached!!! /* Note: * * It is possible to call the Notify-hook twice in shibboleth2.xml * <Notify Channel="back" Location="URI_TO/logoutnotify.php" /> * <Notify Channel="front" Location="URI_TO/logoutnotify.php" /> * * So we do this and implement on front channel only the destruction for the application cookies an * on back channel the destruction for the application session an the removal of database / memcached - entries * from the shibshecker RewriteMap in our apache configuration. * * The connection parameters to the shibcheckerdb / memcached are set in function LogoutNotification. */ ////////////////////////// // Front channel logout // ////////////////////////// // Note: Generally the back-channel logout should be used once the Shibboleth // Identity Provider supports Single Log Out! // Front-channel logout is not of much use. if ( isset($_GET['return']) && isset($_GET['action']) && $_GET['action'] == 'logout' ){ //Only destroy application cookie via front channel and destroy the application session via back channel // Destroy PHP-session-cookie cookie if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } // Finally, send user to the return URL header('Location: '.$_GET['return']); exit; } ///////////////////////// // Back channel logout // ///////////////////////// // Note: This is the preferred logout channel because it also allows // administrative logout. However, it requires your application to be // adapated in the sense that the user's Shibboleth session ID must be // stored in the application's session data. // See function LogoutNotification below elseif (!empty(file_get_contents("php://input"))) { // Set SOAP header $server = new SoapServer('https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl'); $server->addFunction("LogoutNotification"); $server->handle(); } ///////////////// // Return WSDL // ///////////////// // Note: This is needed for the PHP SoapServer class. // Since I'm not a web service guru it might be that the code below is not // absolutely correct but at least it seems to to its job properly when it // comes to Shibboleth logout else { header('Content-Type: text/xml'); echo <<<WSDL <?xml version ="1.0" encoding ="UTF-8" ?> <definitions name="LogoutNotification" targetNamespace="urn:mace:shibboleth:2.0:sp:notify" xmlns:notify="urn:mace:shibboleth:2.0:sp:notify" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <types> <schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify" xmlns="http://www.w3.org/2000/10/XMLSchema" xmlns:notify="urn:mace:shibboleth:2.0:sp:notify"> <simpleType name="string"> <restriction base="string"> <minLength value="1"/> </restriction> </simpleType> <element name="OK" type="notify:OKType"/> <complexType name="OKType"> <sequence/> </complexType> </schema> </types> <message name="getLogoutNotificationRequest"> <part name="SessionID" type="notify:string" /> </message> <message name="getLogoutNotificationResponse" > <part name="OK"/> </message> <portType name="LogoutNotificationPortType"> <operation name="LogoutNotification"> <input message="getLogoutNotificationRequest"/> <output message="getLogoutNotificationResponse"/> </operation> </portType> <binding name="LogoutNotificationBinding" type="notify:LogoutNotificationPortType"> <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> <operation name="LogoutNotification"> <soap:operation soapAction="urn:xmethods-logout-notification#LogoutNotification"/> </operation> </binding> <service name="LogoutNotificationService"> <port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding"> <soap:address location="https://{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"/> </port> </service> </definitions> WSDL; exit; } /******************************************************************************/ /// This function does the actual logout function LogoutNotification($SessionID){ // Delete session of user using $SessionID to locate the user's session file // on the file system or in the database // Then delete this entry or record to clear the session // However, for that to work it is essential that the user's Shibboleth // SessionID is stored in the user session data! //connection parameters to memcached $mcsrv="127.0.0.1"; $mcport="11211"; $mc=new Memcache; $mc->connect($mcsrv,$mcport); //get the application session id $appsessionid = $mc->get($SessionID); //remove $ret = $mc-> delete($SessionID); $ret = $mc-> delete($appsessionid); if ($appsessionid == false) { $appsessionid = ""; } //Connect to the application session (PHP Session) session_id($appsessionid); session_start(); //and destroy $_SESSION = array(); session_destroy(); } ?>
remsess.php
- remsess.php
<?php /* This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Copyright 2015 Frank Schreiterer, University of Bamberg, Computing Centre */ function removeMemcached($destid) { $mcsrv="127.0.0.1"; $mcport="11211"; $mc=new Memcache; $mc->connect($mcsrv,$mcport); $stats = $mc->getExtendedStats(); $list = array(); #memcached auslesen und bei passendem Wert den Key entfernen $allSlabs = $mc->getExtendedStats('slabs'); $items = $mc->getExtendedStats('items'); foreach($allSlabs as $server => $slabs) { foreach($slabs AS $slabId => $slabMeta) { if (is_numeric($slabId)) { $cdump = $mc->getExtendedStats('cachedump',(int)$slabId); foreach($cdump AS $keys => $arrVal) { if (!is_array($arrVal)) continue; foreach($arrVal AS $k => $v) { $get = $mc->get($k); if ($get == $destid) { $ret = $mc->delete($k); } } } } } } #und bei mixedLazy den Sicherungseintrag zur destid $ret = $mc->delete($destid); $mc->close(); } #eine böse Anwendungs-Session-ID zerstören if (isset($_REQUEST['appsid'])) { $destid = $_REQUEST['appsid']; if ($destid != "") { session_id($destid); removeMemcached($destid); session_start(); session_destroy(); } } session_start(); $serverurl="https://".$_SERVER['SERVER_NAME']; if (isset($_REQUEST['shibloggedoff'])) { $shiblogoff = $_REQUEST['shibloggedoff']; if ($shiblogoff == "true") { echo "Sie wurden abgemeldet.<br><br>Erneut <a href=\"$serverurl/PATH/TO/Login\">anmelden</a><br>"; } } else { $destid = session_id(); removeMemcached($destid); $url="$serverurl/Shibboleth.sso/Logout?return=$serverurl/PATH/TO/remsess.php?shibloggedoff=true"; header('Location: '.$url); } session_destroy(); #SessionCookie löschen setcookie(session_name(),"",time() -3600,"/"); ?>