Good Evening,
I’m attempting to write custom session checking such that each subsequent login
Looking at the example code at https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures.html isn’t helpful as the code is either outdated or broken (attempting to run the example code without the geoip php module did not result in any log entries)
My code:
public static function checkSession(\SimpleSAML\Session $session, bool $init = false)
{
$search_array = [
'first' => ‘Server1’,
‘Server2,
'Server3',
'Server4',
];
if ($init) {
\SimpleSAML\Logger::debug('Executing Init checkSession');
return;
}
if (in_array($_SERVER['SERVER_NAME'], $search_array)) {
\SimpleSAML\Logger::debug('Server in array, not executing checkSession');
return TRUE;
}
\SimpleSAML\Logger::debug('Executing checkSession');
if (!empty($_REQUEST['SAMLRequest']) || !empty($_REQUEST['spentityid'])) {
\SimpleSAML\Logger::debug('SAMLRequest or spentityid exists, invalidating any current session');
return FALSE;
}
return TRUE;
}
}
Any guidance would be appreciated.
Thank you,
m.
Mark L. Boyce
Senior Identity Management Analyst
University of California, Office of the President
Office: 510.987.9681
Cell: 209.851.0196
Hi Tim
Yes, debug logging is enabled…. Adding a bit; we’re using SimpleSAMLphp as a bridge between several external SP and various campuses. The issue we’re having is that if I log into SP A the downstream IdP returns the requested attributes, the user then logs into SP B and the attributes from SP A are returned. We could set the session.duration to something insanely low, but this causes issues downstream. What we want to do is create the session at first login and create anew for each subsequent login. TBH, this sort of behavior might be something to include in MultiAuth…
Thanks,
m.
Mark L. Boyce
Senior Identity Management Analyst
University of California, Office of the President
Office: 510.987.9681
Cell: 209.851.0196
From: simple...@googlegroups.com <simple...@googlegroups.com>
On Behalf Of Tim van Dijen
Sent: Tuesday, August 12, 2025 9:21 AM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: [simplesamlphp-users] Re: session.check_session
CAUTION: EXTERNAL EMAIL
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with
some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
simplesamlph...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/simplesamlphp/b01a3233-58ea-4eab-a94e-2399a5539112n%40googlegroups.com.
Leaving the “proxy” aside, the session.check_function is a part of the core SimpleSAMLphp and we would like to utilize it. This functionality served us well for the past decade and appears to be broken following the upgrade to v 2.x
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/d0cf636c-87d8-4d63-a6dd-2f0cf5069d9an%40googlegroups.com.
I’ve not gone that route, yet. I’ve revised the code to be much simpler:
<?php
class Util{
public function checkSession(\SimpleSAML\Session $session, $init=false) {
if ($init){
return true;
{
\SimpleSAML\Session::DATA_TIMEOUT_SESSION_END;
return true;
}
}
}
}
Which as I understand it, should create the first session, but upon subsequent logins expire the existing session. Feel free to correct me if I’m wrong. It still doesn’t work though.
Thanks,
m.
Mark L. Boyce
Senior Identity Management Analyst
University of California, Office of the President
Office: 510.987.9681
Cell: 209.851.0196
From: simple...@googlegroups.com <simple...@googlegroups.com>
On Behalf Of kmu...@nmu.edu
Sent: Wednesday, August 13, 2025 11:31 AM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: [simplesamlphp-users] Re: session.check_session
CAUTION: EXTERNAL EMAIL
Have you looked at using the ForceAuthn parameter on the sp definitions on your idp? I'm not sure if it will wipe out the old session, but it should require them to go through login again, and i would expect that they would get back the attributes from the new login.
--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
https://simplesamlphp.org/support
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
Make sure to read the documentation:
https://simplesamlphp.org/docs/stable/
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with
some minimum, common sense standards in your questions. Please read this carefully:
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
simplesamlph...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/93873c4b-3f1a-4f66-aa34-cab984d10bd2n%40googlegroups.com.
Thank you. Here’s what we’ve done:
<?php
declare(strict_types=1);
namespace SimpleSAML\module\ucopconfigfunctions;
class CustomCode
{
public static function checkSession(\SimpleSAML\Session $session, bool $init = false)
{
if ($init) {
\SimpleSAML\Logger::debug('Executing Init checkSession');
return;
}
\SimpleSAML\Logger::debug('Executing checkSession');
if (!empty($_REQUEST['SAMLRequest']) || !empty($_REQUEST['spentityid'])) {
return FALSE;
}
return TRUE;
}
}
This has the desired effect of:
First pass -> authenticating the user, establishing a session
Second pass -> destroying the session, authenticating the user, establishing a session
Thanks,
m.
Mark L. Boyce
Senior Identity Management Analyst
University of California, Office of the President
Office: 510.987.9681
Cell: 209.851.0196
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/09cebd71-75bc-4c13-be0e-6fad0df5a72dn%40googlegroups.com.
Thanks. I believe that the missing piece was the “declare(strict_types=1);”… might want to add that to the geoip one; I tried to use that and it failed…
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/53da421a-b880-40c5-a403-335d98dda592n%40googlegroups.com.