Fix bug with non-HTTP Shib sessions being valid for HTTP sessions (!7) · Merge requests · adi-ia / uw-php-security

Andy Summers requested to merge andrew-summers/uw-php-security:test-fix into master Jul 27, 2016

Previously, the PreauthUserDetailsProvider was only checking that a valid Shib session existed by looking for the regular or HTTP Shib session header. This check is now strengthened by validating the correct header exists for the correct instance.

Also renamed and changed some things in the Preauth test--it's now called HTTPPreauthUserDetailsProviderTest to reflect the fact that it's only testing the HTTP version of Preauth. Along those same lines, the test user now uses the HTTP headers and has been renamed to testuser_http.json.

Please review: @ahoffmann

Admin message

Fix bug with non-HTTP Shib sessions being valid for HTTP sessions

Merge request reports