Commit 1e737e38 authored by Tim Schroeder's avatar Tim Schroeder Committed by Mark Nelson
Browse files

MDL-61351 shibboleth: Logout: fix session handler class not being used

* use $CFG->session_handler_class to determine which type of session is
  used
* if not set, use $CFG->dbsession instead
parent 8c516268
......@@ -127,64 +127,90 @@ WSDL;
* @return SoapFault or void if everything was fine
*/
function LogoutNotification($spsessionid) {
global $CFG, $SESSION, $DB;
global $CFG;
// Delete session of user using $spsessionid.
if(empty($CFG->dbsessions)) {
// File session
$dir = $CFG->dataroot .'/sessions';
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
// Read all session files
while (($file = readdir($dh)) !== false) {
// Check if it is a file
if (is_file($dir.'/'.$file)){
$session_key = preg_replace('/sess_/', '', $file);
// Read session file data
$data = file($dir.'/'.$file);
if (isset($data[0])){
$usersession = unserializesession($data[0]);
// Check if we have found session that shall be deleted
if (isset($usersession['SESSION']) && isset($usersession['SESSION']->shibboleth_session_id)) {
// If there is a match, delete file
if ($usersession['SESSION']->shibboleth_session_id == $spsessionid) {
// Delete session file
if (!unlink($dir.'/'.$file)){
return new SoapFault('LogoutError', 'Could not delete Moodle session file.');
}
// The setting $CFG->session_handler_class may not be set. But if it is,
// it should override $CFG->dbsessions.
if (!empty($CFG->session_handler_class)) {
$sessionclass = $CFG->session_handler_class;
if (preg_match('/database/i', $sessionclass) === 1) {
return logoutdbsession($spsessionid);
} else if (preg_match('/file/i', $sessionclass) === 1) {
return logoutfilesession($spsessionid);
} else {
throw new moodle_exception("Shibboleth logout not implemented for '$sessionclass'");
}
} else {
// Session handler class is not specified, check dbsessions instead.
if (!empty($CFG->dbsessions)) {
return logoutdbsession($spsessionid);
}
// Assume file sessions if dbsessions isn't used.
return logoutfilesession($spsessionid);
}
// If no SoapFault was thrown, the function will return OK as the SP assumes.
}
// Delete session of user using $spsessionid.
function logoutfilesession($spsessionid) {
global $CFG;
if (!empty($CFG->session_file_save_path)) {
$dir = $CFG->session_file_save_path;
} else {
$dir = $CFG->dataroot . '/sessions';
}
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
// Read all session files.
while (($file = readdir($dh)) !== false) {
// Check if it is a file.
if (is_file($dir.'/'.$file)) {
// Read session file data.
$data = file($dir.'/'.$file);
if (isset($data[0])) {
$usersession = unserializesession($data[0]);
// Check if we have found session that shall be deleted.
if (isset($usersession['SESSION']) && isset($usersession['SESSION']->shibboleth_session_id)) {
// If there is a match, delete file.
if ($usersession['SESSION']->shibboleth_session_id == $spsessionid) {
// Delete session file.
if (!unlink($dir.'/'.$file)) {
return new SoapFault('LogoutError', 'Could not delete Moodle session file.');
}
}
}
}
}
closedir($dh);
}
closedir($dh);
}
} else {
// DB Sessions.
$sessions = $DB->get_records_sql(
'SELECT userid, sessdata FROM {sessions} WHERE timemodified > ?',
array(time() - $CFG->sessiontimeout)
);
foreach ($sessions as $session) {
// Get user session from DB.
if (session_decode(base64_decode($session->sessdata))) {
if (isset($_SESSION['SESSION']) && isset($_SESSION['SESSION']->shibboleth_session_id)) {
// If there is a match, kill the session.
if ($_SESSION['SESSION']->shibboleth_session_id == trim($spsessionid)) {
// Delete this user's sessions.
\core\session\manager::kill_user_sessions($session->userid);
}
}
}
function logoutdbsession($spsessionid) {
global $CFG, $DB;
$sessions = $DB->get_records_sql(
'SELECT userid, sessdata FROM {sessions} WHERE timemodified > ?',
array(time() - $CFG->sessiontimeout)
);
foreach ($sessions as $session) {
// Get user session from DB.
if (session_decode(base64_decode($session->sessdata))) {
if (isset($_SESSION['SESSION']) && isset($_SESSION['SESSION']->shibboleth_session_id)) {
// If there is a match, kill the session.
if ($_SESSION['SESSION']->shibboleth_session_id == trim($spsessionid)) {
// Delete this user's sessions.
\core\session\manager::kill_user_sessions($session->userid);
}
}
}
}
// If no SoapFault was thrown, the function will return OK as the SP assumes.
}
/*****************************************************************************/
......@@ -199,3 +225,4 @@ function unserializesession($serialized_string) {
}
return $variables;
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment