laravel-saml2
laravel-saml2 copied to clipboard
Stop replay attacks
In the documentation there is a comment about replay attacks:
$messageId = $event->getAuth()->getLastMessageId();
// your own code preventing reuse of a $messageId to stop replay attacks
What do we need to do here?
I found this answer an Stackoverflow, about InResponseTo
. Is there a way to get this InResponseTo
? Doesn't this require another event before the login?
I just found the replay attacks documentation from onelogin. So I need to store $messageId an check if it exists.
After what time can I delete the ID? Minutes? Days? Weeks?
Would be cool if this important security feature would be provided by this package.
I don't have very much traffic. I guess I could do a quick solution using Cache:
$cacheKey = 'saml-message-id-' . $messageId;
if (Cache::has($cacheKey))
{
Redirect::route('login')->with('error', 'Invalid message id.');
return;
}
Cache::put($cacheKey, true, 5 * 60);
Additionally to what you have already done, I believe you can also use the 'NotOnOrAfter' value from the assertion for the cache expiry time, since the assertion should not be valid after this time. You can get it from the SignedIn
event using $event->getAuth()->getBase()->getLastAssertionNotOnOrAfter()