cedricAbonnel/folio
1
0
Fork 0
Code Issues 15 Pull Requests Actions Packages Projects Releases Wiki Activity

fix : gardes session OIDC + règle PHP-FPM www-data (v1.6.2)

Browse Source 
- oidc/start.php : arrêt immédiat (500) si session_start() échoue, évite
  un flux OIDC condamné à l'échec silencieux (ex. session.save_path absent)
- oidc/callback.php : même garde + error_log sur échec du contrôle de state
  pour faciliter le diagnostic (STATE absent/présent + session_id)
- consignes.md : règle PHP-FPM — toujours user=www-data, pas le compte admin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Cédric Abonnel
2026-05-15 14:34:39 +02:00
parent 7737edf402
commit 53dbce5bb0
5 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/oidc/callback.php
+8
View File
@@ -39,7 +39,15 @@ if (!$OIDC_ISSUER || !$OIDC_CLIENT_ID || !$OIDC_REDIRECT_URI) {
$tokenEndpoint = $OIDC_ISSUER . '/protocol/openid-connect/token';
$userInfoEndpoint = $OIDC_ISSUER . '/protocol/openid-connect/userinfo';
if (session_status() !== PHP_SESSION_ACTIVE) {
error_log('[OIDC/callback] session_start() a échoué — vérifier session.save_path');
http_response_code(500);
echo $debug ? 'Erreur de session (session.save_path inaccessible ?).' : 'Erreur interne.';
exit;
}
if (!isset($_GET['state'], $_SESSION['oidc_state']) || !hash_equals((string)$_SESSION['oidc_state'], (string)$_GET['state'])) {
error_log('[OIDC/callback] State invalide — GET:' . ($_GET['state'] ?? 'absent') . ' SESSION:' . (isset($_SESSION['oidc_state']) ? 'présent' : 'absent') . ' session_id:' . session_id());
http_response_code(400);
echo $debug ? 'State invalide.' : 'Requête invalide.';
exit;