laravel-saml2 icon indicating copy to clipboard operation
laravel-saml2 copied to clipboard

Published 20 hours ago verified publisher icon 24Slides

Stop replay attacks

Open kw-pr opened this issue 1 year ago • 3 comments

In the documentation there is a comment about replay attacks:

$messageId = $event->getAuth()->getLastMessageId();
// your own code preventing reuse of a $messageId to stop replay attacks

What do we need to do here?

I found this answer an Stackoverflow, about InResponseTo. Is there a way to get this InResponseTo? Doesn't this require another event before the login?

kw-pr avatar Jul 28 '22 11:07 kw-pr

I just found the replay attacks documentation from onelogin. So I need to store $messageId an check if it exists.

After what time can I delete the ID? Minutes? Days? Weeks?

Would be cool if this important security feature would be provided by this package.

kw-pr avatar Jul 28 '22 11:07 kw-pr

I don't have very much traffic. I guess I could do a quick solution using Cache:

    $cacheKey = 'saml-message-id-' . $messageId;
    if (Cache::has($cacheKey))
    {
        Redirect::route('login')->with('error', 'Invalid message id.');
        return;
    }

    Cache::put($cacheKey, true, 5 * 60);

kw-pr avatar Jul 28 '22 11:07 kw-pr

Additionally to what you have already done, I believe you can also use the 'NotOnOrAfter' value from the assertion for the cache expiry time, since the assertion should not be valid after this time. You can get it from the SignedIn event using $event->getAuth()->getBase()->getLastAssertionNotOnOrAfter()

f3cp avatar Aug 09 '22 03:08 f3cp