Reputation: 31
replay attack mitigation using onelogin php toolkit
In the php SAML toolkit from onelogin dot com the README.md states:
"### Replay attacks ###
In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
Get the ID of the last processed message/assertion with the getLastMessageId/getLastAssertionId methods of the Auth object."
In my environment $auth->getLastRequestID() returns a good looking unique value, but getLastMessageId and getLastAssertionId both return nothing.
Is getLastRequestID sufficient to implement the described replay attack mitigation?
Upvotes: 2
Views: 154
Answers (0)
Related Questions
- How to prevent replay attack in IDP initiated SSO using SAML2
- How to use nonce in a login system using php to avoid replay attack?
- Onelogin php saml toolkit - debugging
- Integrating with SAML in onelogin
- Two questions about PHP Simple SAML by OneLogin
- a SAML toolkit for PHP from OneLogin.com
- Secure PHP login against replay attacks
- PHP session regeneration security
- SharePoint and SAML: Is there any guard against a replay attacks?
- Security-PHP login attempts function