SilverStripe\SAML\Control\SAMLController::checkForReplayAttack
If processing reaches here, then the user is authenticated but potentially not valid. We first need to confirm that they are not an attacker performing a SAML replay attack (capturing the raw traffic from a compromised device and then re-submitting the same SAML response).
To combat this, we store SAML response IDs for the amount of time they're valid for (plus a configurable offset to account for potential time skew), and if the ID has been seen before we log an error message and return true (which indicates that this specific request is a replay attack). If no replay attack is detected, then the SAML response is logged so that future requests can be blocked.
Signature
protected function checkForReplayAttack(Auth
$auth,
[string
$uniqueErrorId = ''] )
Parameters
$auth
— OneLogin\Saml2\Auth- The Auth object that includes the processed response
$uniqueErrorId
— string- The error code to use when logging error messages for this given error
Returns
- bool
- true if this response is a replay attack, false if it's the first time we've seen the ID