Skip to content

Commit

Permalink
Guessing at fixes for Shibboleth issues.
Browse files Browse the repository at this point in the history
There are two problems with the Shibboleth authenticaiton that I have
identified in discussion with @glarose together with analyzing code and
the issues posted in the forums (see
https://webwork.maa.org/moodle/mod/forum/discuss.php?d=8534#p21568).

The first is that the Shibboleth module overrides the WeBWorK::Authen
check_session method, and does not properly initialize the database
session.  This causes anything that uses the database session (which
includes test proctor authentication) to fail.

The second is that the WeBWorK::Controller session method returns
undefined in the case that cookies are disabled (which the Shibboleth
authentication module does).  The Mojolicious::Plugin::DefaultHelpers
_validation method then calls the session method expecting it to be an
object or a hash reference.

I have no way to test that this fixes the issues that have been
reported, and can only write code that should work.  So someone with
a Shibboleth identity provider will need to test this.
  • Loading branch information
drgrice1 committed Oct 22, 2024
1 parent c4b8039 commit 8c2b4e3
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 11 deletions.
24 changes: 14 additions & 10 deletions lib/WeBWorK/Authen/Shibboleth.pm
Original file line number Diff line number Diff line change
Expand Up @@ -167,20 +167,24 @@ sub check_session {
if ($ce->{shiboff}) {
return $self->SUPER::check_session(@_);
} else {
my $Key = $db->getKey($userID); # checked
my $Key = $db->getKey($userID);
return 0 unless defined $Key;

my $keyMatches = (defined $possibleKey and $possibleKey eq $Key->key);
my $timestampValid = (time <= $Key->timestamp() + $ce->{sessionTimeout});
if ($ce->{shibboleth}{manage_session_timeout}) {
# always valid to allow shib to take control of timeout
$timestampValid = 1;
}
my $currentTime = time;

my $keyMatches = defined $possibleKey && $possibleKey eq $Key->key;
my $timestampValid = $currentTime <= $Key->timestamp() + $ce->{sessionTimeout};
# Allow shib to take control of timeout.
$timestampValid = 1 if $ce->{shibboleth}{manage_session_timeout};

if ($keyMatches and $timestampValid and $updateTimestamp) {
$Key->timestamp(time);
$db->putKey($Key);
if ($keyMatches && $timestampValid && $updateTimestamp) {
$Key->timestamp($currentTime);
$self->{c}->stash->{'webwork2.database_session'} = { $Key->toHash };
$self->{c}->stash->{'webwork2.database_session'}{session}{flash} =
delete $self->{c}->stash->{'webwork2.database_session'}{session}{new_flash}
if $self->{c}->stash->{'webwork2.database_session'}{session}{new_flash};
}

return (1, $keyMatches, $timestampValid);
}
}
Expand Down
2 changes: 1 addition & 1 deletion lib/WeBWorK/Controller.pm
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ sub param ($c, @opts) {
# Override the Mojolicious::Controller session method to set the cookie parameters
# from the course environment the first time it is called.
sub session ($c, @args) {
return if $c->stash('disable_cookies');
return {} if $c->stash('disable_cookies');

# Initialize the cookie session the first time this is called.
unless ($c->stash->{'webwork2.cookie_session_initialized'}) {
Expand Down

0 comments on commit 8c2b4e3

Please sign in to comment.