1.15: session restoration issue
39 views
Skip to first unread message
Stefan Winter
Mar 5, 2018, 3:09:18 AM3/5/18
to SimpleSAMLphp
Hello,
I'm using 1.15 for a while now (as of recent, 1.15.3), and after the
initial session restore surprise (which I resolved with Jaime's help,
thanks again) things worked fine.
There is now one single page in my restricted admin area which throws a
strange Exception (many other pages using the same code path work just
fine). I get this:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 modules/core/www/postredirect.php:38 (require)
0 www/module.php:135 (N/A)
The issue indeed comes from sending a POST form to a page with the HTML
target URL
<form action="../diag/action_realmcheck.php?inst_id=3&profile_id=10"
method="post" accept-charset="UTF-8">
All other pages (where I'm also using the mix of GET parameters together
with some POST data) work just fine.
The differentiator here is that this is the only POST target pointing to
a ../ location.
Is there something I'm still unaware of in session handling, or is there
some bug in SSP?
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
I'm using 1.15 for a while now (as of recent, 1.15.3), and after the
initial session restore surprise (which I resolved with Jaime's help,
thanks again) things worked fine.
There is now one single page in my restricted admin area which throws a
strange Exception (many other pages using the same code path work just
fine). I get this:
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: The POST data we should restore was lost.
Backtrace:
1 modules/core/www/postredirect.php:38 (require)
0 www/module.php:135 (N/A)
The issue indeed comes from sending a POST form to a page with the HTML
target URL
<form action="../diag/action_realmcheck.php?inst_id=3&profile_id=10"
method="post" accept-charset="UTF-8">
All other pages (where I'm also using the mix of GET parameters together
with some POST data) work just fine.
The differentiator here is that this is the only POST target pointing to
a ../ location.
Is there something I'm still unaware of in session handling, or is there
some bug in SSP?
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Peter Schober
Mar 5, 2018, 7:35:01 AM3/5/18
to SimpleSAMLphp
* Stefan Winter <stefan...@restena.lu> [2018-03-05 09:09]:
https://github.com/simplesamlphp/simplesamlphp/blob/master/config-templates/config.php#L177
I've never had a use for that since I require TLS on all SPs, too.
If this is not about the HTTP POST of the SAML Response from the IDP
why would /SSP/ need to restore a POST relevant to your application?
-peter
> Caused by: Exception: The POST data we should restore was lost.
> Backtrace:
> 1 modules/core/www/postredirect.php:38 (require)
Did you enable post redirect?
> Backtrace:
> 1 modules/core/www/postredirect.php:38 (require)
https://github.com/simplesamlphp/simplesamlphp/blob/master/config-templates/config.php#L177
I've never had a use for that since I require TLS on all SPs, too.
If this is not about the HTTP POST of the SAML Response from the IDP
why would /SSP/ need to restore a POST relevant to your application?
-peter
Reply all
Reply to author
Forward
0 new messages