apereo#224: Add configurable session-id salt when hashing the ticket.

As suggested in apereo#224, a client-configurable salt will allow a hashed ticket to have increased unique data, helping to make ensure that the session id is hard to guess even if the CAS server uses short tickets. This includes the contents of PR apereo#257.
Wolvverine · Mar 13, 2018 · 96b7d6b · 96b7d6b
1 parent e4afa9d
commit 96b7d6b
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/source/CAS.php b/source/CAS.php
@@ -1685,6 +1685,27 @@ public static function setExtraCurlOption($key, $value)
         phpCAS :: traceEnd();
     }
 
+    /**
+     * Set a salt/seed for the session-id hash to make it harder to guess.
+     *
+     * When $changeSessionID = true phpCAS will create a session-id that is derived
+     * from the service ticket. Doing so allows phpCAS to look-up and destroy the
+     * proper session on single-log-out requests. While the service tickets
+     * provided by the CAS server may include enough data to generate a strong
+     * hash, clients may provide an additional salt to ensure that session ids
+     * are not guessable if the session tickets do not have enough entropy.
+     *
+     * @param string $salt The salt to combine with the session ticket.
+     *
+     * @return void
+     */
+     public static function setSessionIdSalt($salt) {
+       phpCAS :: traceBegin();
+       phpCAS::_validateClientExists();
+       self::$_PHPCAS_CLIENT->setSessionIdSalt($salt);
+       phpCAS :: traceEnd();
+     }
+
     /**
      * If you want your service to be proxied you have to enable it (default
      * disabled) and define an accepable list of proxies that are allowed to

diff --git a/source/CAS/Client.php b/source/CAS/Client.php
@@ -3716,7 +3716,25 @@ private function _sessionIdForTicket($ticket)
     {
       // Hash the ticket to ensure that the value meets the PHP 7.1 requirement
       // that session-ids have a length between 22 and 256 characters.
-      return hash('sha256', $ticket);
+      return hash('sha256', $this->_sessionIdSalt . $ticket);
+    }
+
+    /**
+     * Set a salt/seed for the session-id hash to make it harder to guess.
+     *
+     * @var string $_sessionIdSalt
+     */
+    private $_sessionIdSalt = '';
+
+    /**
+     * Set a salt/seed for the session-id hash to make it harder to guess.
+     *
+     * @param string $salt
+     *
+     * @return void
+     */
+    public function setSessionIdSalt($salt) {
+      $this->_sessionIdSalt = (string)$salt;
     }
 
     // ########################################################################