fix(Session): restore session data after cookie login

when a browser is closed and the session lost, a new session might be
started with the help of the remember me cookie. For we keep some data in
the session, like the IdP identifier, and some SAML data needed for SLO,
those were lost in this process. This made especially logout behaviour
not acting as expected.

Now we keep the required data also in the database and can restore it on
a cookie login event.

Signed-off-by: Arthur Schiwon <[email protected]>

Author: blizzz

appinfo/info.xml

@@ -20,7 +20,7 @@ The following providers are supported and tested at the moment:
 	* Any other provider that authenticates using the environment variable
 
 While theoretically any other authentication provider implementing either one of those standards is compatible, we like to note that they are not part of any internal test matrix.]]></description>
-	<version>7.1.1</version>
+	<version>7.1.2-beta.1</version>
 	<licence>agpl</licence>
 	<author>Lukas Reschke</author>
 	<namespace>User_SAML</namespace>

lib/AppInfo/Application.php

@@ -16,6 +16,7 @@
 use OCA\User_SAML\DavPlugin;
 use OCA\User_SAML\GroupBackend;
 use OCA\User_SAML\GroupManager;
+use OCA\User_SAML\Listener\CookieLoginEventListener;
 use OCA\User_SAML\Listener\LoadAdditionalScriptsListener;
 use OCA\User_SAML\Listener\SabrePluginEventListener;
 use OCA\User_SAML\Middleware\OnlyLoggedInMiddleware;
@@ -38,6 +39,8 @@
 use OCP\IUserSession;
 use OCP\L10N\IFactory;
 use OCP\Server;
+use OCP\User\Events\BeforeUserLoggedInWithCookieEvent;
+use OCP\User\Events\UserLoggedInWithCookieEvent;
 use Psr\Container\ContainerInterface;
 use Psr\Log\LoggerInterface;
 use Throwable;
@@ -53,6 +56,8 @@ public function register(IRegistrationContext $context): void {
 		$context->registerMiddleware(OnlyLoggedInMiddleware::class);
 		$context->registerEventListener(BeforeTemplateRenderedEvent::class, LoadAdditionalScriptsListener::class);
 		$context->registerEventListener(SabrePluginAddEvent::class, SabrePluginEventListener::class);
+		$context->registerEventListener(BeforeUserLoggedInWithCookieEvent::class, CookieLoginEventListener::class);
+		$context->registerEventListener(UserLoggedInWithCookieEvent::class, CookieLoginEventListener::class);
 		$context->registerService(DavPlugin::class, fn (ContainerInterface $c) => new DavPlugin(
 			$c->get(ISession::class),
 			$c->get(IConfig::class),

lib/Controller/SAMLController.php

@@ -17,6 +17,7 @@
 use OCA\User_SAML\Exceptions\UserFilterViolationException;
 use OCA\User_SAML\Helper\TXmlHelper;
 use OCA\User_SAML\SAMLSettings;
+use OCA\User_SAML\Service\SessionService;
 use OCA\User_SAML\UserBackend;
 use OCA\User_SAML\UserData;
 use OCA\User_SAML\UserResolver;
@@ -57,6 +58,7 @@ public function __construct(
 		private UserData $userData,
 		private ICrypto $crypto,
 		private ITrustedDomainHelper $trustedDomainHelper,
+		private SessionService $sessionService,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -333,10 +335,10 @@ public function assertionConsumerService(): Http\RedirectResponse {
 		}
 
 		$AuthNRequestID = $data['AuthNRequestID'];
-		$idp = $data['Idp'];
+		$idp = $data['Idp'] ;
 		// need to keep the IdP config ID during session lifetime (SAMLSettings::getPrefix)
-		$this->session->set('user_saml.Idp', $idp);
-		if (is_null($AuthNRequestID) || $AuthNRequestID === '' || is_null($idp)) {
+		$this->sessionService->storeIdentityProviderInSession($idp);
+		if (is_null($AuthNRequestID) || $AuthNRequestID === '') {
 			$this->logger->debug('Invalid auth payload', ['app' => 'user_saml']);
 			return new Http\RedirectResponse($this->urlGenerator->getAbsoluteURL('/'));
 		}
@@ -383,14 +385,8 @@ public function assertionConsumerService(): Http\RedirectResponse {
 			return $response;
 		}
 
-		$this->session->set('user_saml.samlUserData', $auth->getAttributes());
-		$this->session->set('user_saml.samlNameId', $auth->getNameId());
-		$this->session->set('user_saml.samlNameIdFormat', $auth->getNameIdFormat());
-		$this->session->set('user_saml.samlNameIdNameQualifier', $auth->getNameIdNameQualifier());
-		$this->session->set('user_saml.samlNameIdSPNameQualifier', $auth->getNameIdSPNameQualifier());
-		$this->session->set('user_saml.samlSessionIndex', $auth->getSessionIndex());
-		$this->session->set('user_saml.samlSessionExpiration', $auth->getSessionExpiration());
-		$this->logger->debug('Session values set', ['app' => 'user_saml']);
+		$this->sessionService->prepareSession($auth);
+
 		try {
 			$user = $this->userResolver->findExistingUser($this->userBackend->getCurrentUserId());
 			$firstLogin = $user->updateLastLoginTimestamp();
@@ -510,14 +506,14 @@ public function singleLogoutService(): Http\RedirectResponse {
 	 */
 	private function tryProcessSLOResponse(?int $idp): array {
 		$idps = ($idp !== null) ? [$idp] : array_keys($this->samlSettings->getListOfIdps());
-		foreach ($idps as $idp) {
+		foreach ($idps as $identityProviderId) {
 			try {
-				$auth = new Auth($this->samlSettings->getOneLoginSettingsArray($idp));
+				$auth = new Auth($this->samlSettings->getOneLoginSettingsArray($identityProviderId));
 				// validator (called with processSLO()) needs an XML entity loader
 				$targetUrl = $this->callWithXmlEntityLoader(fn (): string => $auth->processSLO(
 					true, // do not let processSLO to delete the entire session. Let userSession->logout do the job
 					null,
-					$this->samlSettings->usesSloWebServerDecode($idp),
+					$this->samlSettings->usesSloWebServerDecode($identityProviderId),
 					null,
 					true
 				));

lib/Db/SessionData.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Db;
+
+use OCA\User_SAML\Model\SessionData as SessionDataModel;
+use OCP\AppFramework\Db\Entity;
+use OCP\DB\Types;
+
+class SessionData extends Entity {
+	/** @var string */
+	public $id;
+	public ?string $data = null;
+
+	public function __construct() {
+		$this->addType('id', Types::STRING);
+		$this->addType('data', Types::TEXT);
+	}
+
+	public function setId(string $id): void {
+		$this->id = $id;
+		$this->markFieldUpdated('id');
+	}
+
+	public function setData(SessionDataModel $input): void {
+		$this->data = json_encode($input);
+		$this->markFieldUpdated('data');
+	}
+
+	public function getData(): SessionDataModel {
+		$deserialized = json_decode($this->data, true);
+		return SessionDataModel::fromInputArray($deserialized);
+	}
+}

lib/Db/SessionDataMapper.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Db;
+
+use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\AppFramework\Db\MultipleObjectsReturnedException;
+use OCP\AppFramework\Db\QBMapper;
+use OCP\DB\Exception;
+use OCP\IDBConnection;
+
+/** @template-extends QBMapper<SessionData> */
+class SessionDataMapper extends QBMapper {
+	public const SESSION_DATA_TABLE_NAME = 'user_saml_session_data';
+
+	public function __construct(IDBConnection $db) {
+		parent::__construct($db, self::SESSION_DATA_TABLE_NAME, SessionData::class);
+	}
+
+	/**
+	 * @throws DoesNotExistException
+	 * @throws MultipleObjectsReturnedException
+	 * @throws Exception
+	 */
+	public function retrieve(string $sessionId): SessionData {
+		$qb = $this->db->getQueryBuilder();
+		$qb->select('*')
+			->from(self::SESSION_DATA_TABLE_NAME)
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($sessionId)));
+		return $this->findEntity($qb);
+	}
+}

lib/Listener/CookieLoginEventListener.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Listener;
+
+use OCA\User_SAML\Service\SessionService;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\User\Events\BeforeUserLoggedInWithCookieEvent;
+use OCP\User\Events\UserLoggedInWithCookieEvent;
+
+/** @template-implements IEventListener<BeforeUserLoggedInWithCookieEvent|UserLoggedInWithCookieEvent|Event> */
+class CookieLoginEventListener implements IEventListener {
+	protected ?string $oldSessionId = null;
+
+	public function __construct(
+		protected readonly SessionService $sessionService,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if ($event instanceof BeforeUserLoggedInWithCookieEvent) {
+			$this->prepareRestoreOfSession();
+			return;
+		}
+
+		if ($event instanceof UserLoggedInWithCookieEvent) {
+			$this->restoreSession();
+			return;
+		}
+	}
+
+	protected function prepareRestoreOfSession(): void {
+		if (isset($_COOKIE['nc_session_id'])) {
+			$this->oldSessionId = $_COOKIE['nc_session_id'];
+		}
+	}
+
+	protected function restoreSession(): void {
+		if ($this->oldSessionId !== null) {
+			$this->sessionService->restoreSession($this->oldSessionId);
+		}
+	}
+}

lib/Migration/Version7001Date20251215192613.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\User_SAML\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use Override;
+
+class Version7001Date20251215192613 extends SimpleMigrationStep {
+	public const SESSION_DATA_TABLE_NAME = 'user_saml_session_data';
+
+	#[Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		if ($schema->hasTable(self::SESSION_DATA_TABLE_NAME)) {
+			return null;
+		}
+
+		$table = $schema->createTable(self::SESSION_DATA_TABLE_NAME);
+		$table->addColumn('id', Types::STRING, [
+			'notnull' => true,
+			'length' => 200,
+		]);
+		$table->addColumn('data', Types::TEXT, [
+			'notnull' => true,
+		]);
+		$table->setPrimaryKey(['id']);
+
+		return $schema;
+	}
+
+}

lib/Model/SessionData.php

@@ -0,0 +1,89 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\User_SAML\Model;
+
+use OCP\ISession;
+
+class SessionData implements \JsonSerializable, \Stringable {
+	public const KEY_IDENTITY_PROVIDER_ID = 'user_saml.Idp';
+	public const KEY_SAML_NAME_ID = 'user_saml.samlNameId';
+	public const KEY_SAML_NAME_ID_FORMAT = 'user_saml.samlNameIdFormat';
+	public const KEY_SAML_NAME_ID_QUALIFIER = 'user_saml.samlNameIdNameQualifier';
+	public const KEY_SAML_NAME_ID_SP_QUALIFIER = 'user_saml.samlNameIdSPNameQualifier';
+	public const KEY_SAML_SESSION_INDEX = 'user_saml.samlSessionIndex';
+
+	public const SESSION_KEYS = [
+		'KEY_IDENTITY_PROVIDER_ID' => 'user_saml.Idp',
+		'KEY_SAML_NAME_ID' => 'user_saml.samlNameId',
+		'KEY_SAML_NAME_ID_FORMAT' => 'user_saml.samlNameIdFormat',
+		'KEY_SAML_NAME_ID_QUALIFIER' => 'user_saml.samlNameIdNameQualifier',
+		'KEY_SAML_NAME_ID_SP_QUALIFIER' => 'user_saml.samlNameIdSPNameQualifier',
+		'KEY_SAML_SESSION_INDEX' => 'user_saml.samlSessionIndex',
+	];
+
+	public function __construct(
+		protected int $identityProviderId,
+		protected string $samlNameId,
+		protected string $samlNameIdFormat,
+		protected string $samlNameIdNameQualifier,
+		protected string $samlNameIdSPNameQualifier,
+		protected ?string $samlSessionIndex,
+	) {
+		if ($this->identityProviderId < 0) {
+			throw new \InvalidArgumentException('IdentityProviderId has to be a positive integer');
+		}
+	}
+
+	public function storeInSession(ISession $session): void {
+		foreach ($this->jsonSerialize() as $sessionKey => $value) {
+			$session->set($sessionKey, $value);
+		}
+	}
+
+	public function jsonSerialize(): array {
+		return [
+			self::KEY_IDENTITY_PROVIDER_ID => $this->identityProviderId,
+			self::KEY_SAML_NAME_ID => $this->samlNameId,
+			self::KEY_SAML_NAME_ID_FORMAT => $this->samlNameIdFormat,
+			self::KEY_SAML_NAME_ID_QUALIFIER => $this->samlNameIdNameQualifier,
+			self::KEY_SAML_NAME_ID_SP_QUALIFIER => $this->samlNameIdSPNameQualifier,
+			self::KEY_SAML_SESSION_INDEX => $this->samlSessionIndex,
+		];
+	}
+
+	public static function fromInputArray(array $rawData): self {
+		if (!isset($rawData[self::KEY_IDENTITY_PROVIDER_ID])) {
+			throw new \InvalidArgumentException('Expected and required Identity Provider ID is missing');
+		}
+
+		return new self(
+			$rawData[self::KEY_IDENTITY_PROVIDER_ID],
+			$rawData[self::KEY_SAML_NAME_ID] ?? '',
+			$rawData[self::KEY_SAML_NAME_ID_FORMAT] ?? '',
+			$rawData[self::KEY_SAML_NAME_ID_QUALIFIER] ?? '',
+			$rawData[self::KEY_SAML_NAME_ID_SP_QUALIFIER] ?? '',
+			$rawData[self::KEY_SAML_SESSION_INDEX] ?? null,
+		);
+	}
+
+	public static function fromSession(ISession $session): self {
+		$retrievedData = [];
+		foreach (self::SESSION_KEYS as $sessionKey) {
+			$value = $session->get($sessionKey);
+			if ($value === null) {
+				continue;
+			}
+			$retrievedData[$sessionKey] = $session->get($sessionKey);
+		}
+		return self::fromInputArray($retrievedData);
+	}
+
+	public function __toString(): string {
+		return \json_encode($this);
+	}
+}