session.check_session

27 views
Skip to first unread message

Mark Boyce

unread,
Aug 11, 2025, 9:34:48 PMAug 11
to simple...@googlegroups.com

Good Evening,

 

I’m attempting to write custom session checking such that each subsequent login

  1. Invalidates any existing session
  2. Creates a new session

 

Looking at the example code at https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures.html isn’t helpful as the code is either outdated or broken (attempting to run the example code without the geoip php module did not result in any log entries)

My code:

   public static function checkSession(\SimpleSAML\Session $session, bool $init = false)

    {

                    $search_array = [

            'first' => ‘Server1’,

            ‘Server2,

            'Server3',

            'Server4',

                ];

        if ($init) {

          \SimpleSAML\Logger::debug('Executing Init checkSession');

            return;

        }

        if (in_array($_SERVER['SERVER_NAME'], $search_array)) {

          \SimpleSAML\Logger::debug('Server in array, not executing checkSession');

 

            return TRUE;

        }

 

        \SimpleSAML\Logger::debug('Executing checkSession');

        if (!empty($_REQUEST['SAMLRequest']) || !empty($_REQUEST['spentityid'])) {

                \SimpleSAML\Logger::debug('SAMLRequest or spentityid exists, invalidating any current session');

               

            return FALSE;

        }

        return TRUE;

        }

        }

Any guidance would be appreciated.

 

Thank you,

m.

 

Mark L. Boyce

Senior Identity Management Analyst

University of California, Office of the President

Office: 510.987.9681

Cell: 209.851.0196

 

Tim van Dijen

unread,
Aug 12, 2025, 10:20:36 AMAug 12
to SimpleSAMLphp
Hey Mark!

If you don't see any log entries, you may not have debug-logging enabled!

I must admit I haven't ever used this functionality but looking at the code I think what you want is certainly possible.
You can invalidate a session when it doesn't match your criteria by calling `$session->clearInternalState()` in your checkSession-method.
This will clear any data associated with the session, but will keep the empty session and it's associated sessionId. The checkSession-method should however return `true` in this case, which at first might feel counter-intuitive. Returning false would however indicate that the session wasn't found or couldn't be validated.
If you would delete the session and generate an entire new one, you would end up with 'State lost' exception, which I guess is not what you're after..
I hope this helps!

- Tim


Op dinsdag 12 augustus 2025 om 03:34:48 UTC+2 schreef mark....@ucop.edu:

Mark Boyce

unread,
Aug 12, 2025, 10:52:19 AMAug 12
to simple...@googlegroups.com

Hi Tim

 

Yes, debug logging is enabled…. Adding a bit; we’re using SimpleSAMLphp as a bridge between several external SP and various campuses. The issue we’re having is that if I log into SP A the downstream IdP returns the requested attributes, the user then logs into SP B and the attributes from SP A are returned. We could set the session.duration to something insanely low, but this causes issues downstream. What we want to do is create the session at first login and create anew for each subsequent login. TBH, this sort of behavior might be something to include in MultiAuth…

 

Thanks,

m.

Mark L. Boyce

Senior Identity Management Analyst

University of California, Office of the President

Office: 510.987.9681

Cell: 209.851.0196

 

From: simple...@googlegroups.com <simple...@googlegroups.com> On Behalf Of Tim van Dijen
Sent: Tuesday, August 12, 2025 9:21 AM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: [simplesamlphp-users] Re: session.check_session

 

CAUTION: EXTERNAL EMAIL

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/simplesamlphp/b01a3233-58ea-4eab-a94e-2399a5539112n%40googlegroups.com.

Tim van Dijen

unread,
Aug 12, 2025, 12:16:17 PMAug 12
to SimpleSAMLphp
Ah of course, it's always the 'proxy'-setup..
Listen, you can use SimpleSAMLphp as such, but don't expect these advanced features to work... The product was never intended to work as such.
Use a proper SAML-proxy product instead.

- Tim

Op dinsdag 12 augustus 2025 om 16:52:19 UTC+2 schreef mark....@ucop.edu:

Mark Boyce

unread,
Aug 12, 2025, 12:58:04 PMAug 12
to simple...@googlegroups.com

Leaving the “proxy” aside, the session.check_function is a part of the core SimpleSAMLphp and we would like to utilize it. This functionality served us well for the past decade and appears to be broken following the upgrade to v 2.x

kmu...@nmu.edu

unread,
Aug 13, 2025, 12:30:51 PMAug 13
to SimpleSAMLphp
Have you looked at using the ForceAuthn parameter on the sp definitions on your idp? I'm not sure if it will wipe out the old session, but it should require them to go through login again, and i would expect that they would get back the attributes from the new login.

Mark Boyce

unread,
Aug 13, 2025, 12:50:31 PMAug 13
to simple...@googlegroups.com

I’ve not gone that route, yet.  I’ve revised the code to be much simpler:

 

<?php

 

class Util{

        public function checkSession(\SimpleSAML\Session $session, $init=false) {

                if ($init){

                        return true;

                        {

                \SimpleSAML\Session::DATA_TIMEOUT_SESSION_END;

                return true;

                        }

                }

        }

}

 

Which as I understand it, should create the first session, but upon subsequent logins expire the existing session. Feel free to correct me if I’m wrong. It still doesn’t work though.

 

Thanks,

m.

 

Mark L. Boyce

Senior Identity Management Analyst

University of California, Office of the President

Office: 510.987.9681

Cell: 209.851.0196

 

From: simple...@googlegroups.com <simple...@googlegroups.com> On Behalf Of kmu...@nmu.edu
Sent: Wednesday, August 13, 2025 11:31 AM
To: SimpleSAMLphp <simple...@googlegroups.com>
Subject: Re: [simplesamlphp-users] Re: session.check_session

 

CAUTION: EXTERNAL EMAIL

Have you looked at using the ForceAuthn parameter on the sp definitions on your idp? I'm not sure if it will wipe out the old session, but it should require them to go through login again, and i would expect that they would get back the attributes from the new login.

--

This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

monk...@gmail.com

unread,
Aug 14, 2025, 12:13:17 AMAug 14
to SimpleSAMLphp
Hi,

   I thought I would dig into the `check_function` a bit to see if it is working as expected. 

  I made a smaller example that is self contained. I also just made a file in src/SimpleSAML for the function to avoid needing to reference a custom module. If the function is not callable then SSP will silently ignore it. IMHO that might be an issue -- if you specify a function and it can not be called then that should be a strong warning or error. 


  The function logs out my badboy user every time. Testing reloading the admin test page for default-sp after changing the uid for badboy to match my session is redirected to a login.  Because of the way it is written I can also not log in. Maybe only forcing the session to be thrown away if it is 2 minutes old would be a better example but I wanted to keep that check_function example self contained and fairly short.

Mark Boyce

unread,
Aug 14, 2025, 1:48:46 PMAug 14
to simple...@googlegroups.com

Thank you. Here’s what we’ve done:

<?php

declare(strict_types=1);

 

namespace SimpleSAML\module\ucopconfigfunctions;

 

class CustomCode

{

    public static function checkSession(\SimpleSAML\Session $session, bool $init = false)

    {

        if ($init) {

           \SimpleSAML\Logger::debug('Executing Init checkSession');

            return;

        }

 

        \SimpleSAML\Logger::debug('Executing checkSession');

        if (!empty($_REQUEST['SAMLRequest']) || !empty($_REQUEST['spentityid'])) {

            return FALSE;

        }

        return TRUE;

        }

        }

 

This has the desired effect of:

First pass -> authenticating the user, establishing a session

Second pass -> destroying the session, authenticating the user, establishing a session

 

Thanks,

m.

 

Mark L. Boyce

Senior Identity Management Analyst

University of California, Office of the President

Office: 510.987.9681

Cell: 209.851.0196

 

monk...@gmail.com

unread,
Aug 14, 2025, 7:15:25 PMAug 14
to SimpleSAMLphp
Hi,

  I am happy that you have a working solution now.

  I will make some PRs to the main repo. Firstly putting this example with full paths etc into the docs as well as the geoip one. 

  Then also adding warning or error if the supplied check_function is not callable. I think if a site is using check_function then they are probably happy to have complaints if it can not be executed.

Mark Boyce

unread,
Aug 14, 2025, 7:59:40 PMAug 14
to simple...@googlegroups.com

Thanks. I believe that the missing piece was the “declare(strict_types=1);”… might want to add that to the geoip one; I tried to use that and it failed…

Reply all
Reply to author
Forward
0 new messages