Merge pull request #429 from matomo-org/fix-webserver-auth-token-reload

Creating session fingerprint on successful web server authentication

Author: AltamashShaikh

Auth/WebServerAuth.php

@@ -18,6 +18,8 @@
 use Piwik\Plugins\LoginLdap\Model\LdapUsers;
 use Piwik\Plugins\UsersManager\API as UsersManagerAPI;
 use Piwik\Plugins\UsersManager\Model as UserModel;
+use Piwik\Session;
+use Piwik\Session\SessionFingerprint;
 
 /**
  * Auth implementation that assumes the web server that hosts Piwik has authenticated
@@ -85,7 +87,10 @@ public function authenticate()
                     ));
                 }
 
-                return $this->makeSuccessLogin($this->getUserForLogin());
+                $result = $this->makeSuccessLogin($this->getUserForLogin());
+                $this->initializeSessionFingerprint($result);
+
+                return $result;
             }
         } catch (ConnectionException $ex) {
             throw $ex;
@@ -157,6 +162,28 @@ private function synchronizeLoggedInUser()
         $this->synchronizeLdapUser($ldapUser);
     }
 
+    private function initializeSessionFingerprint(AuthResult $authResult): void
+    {
+        if (!Session::isSessionStarted() || !Session::isWritable()) {
+            return;
+        }
+
+        $sessionFingerprint = new SessionFingerprint();
+        $isSameUser = $sessionFingerprint->getUser() === $authResult->getIdentity();
+        $hasVerifiedTwoFactor = $isSameUser && $sessionFingerprint->hasVerifiedTwoFactor();
+
+        Session::regenerateId();
+
+        $sessionFingerprint->initialize(
+            $authResult->getIdentity(),
+            $authResult->getTokenAuth()
+        );
+
+        if ($hasVerifiedTwoFactor) {
+            $sessionFingerprint->setTwoFactorAuthenticationVerified();
+        }
+    }
+
     /**
      * Returns a WebServerAuth instance configured with INI config.
      *

CHANGELOG.md

@@ -1,5 +1,8 @@
 # LoginLdap Changelog
 
+#### LoginLdap 5.1.8 - 2026-03-30
+* Updated API documentation
+
 #### LoginLdap 5.1.7 - 2026-03-02
 * Updated API documentation
 

plugin.json

@@ -1,6 +1,6 @@
 {
     "name": "LoginLdap",
-    "version": "5.1.7",
+    "version": "5.1.8",
     "description": "LDAP authentication and synchronization for Matomo.",
     "theme": false,
     "keywords": ["ldap", "login", "authentication", "active", "directory", "kerberos", "sso"],

tests/Integration/WebServerAuthTest.php

@@ -14,6 +14,9 @@
 use Piwik\Config;
 use Piwik\Plugins\LoginLdap\Auth\WebServerAuth;
 use Piwik\Plugins\UsersManager\API as UsersManagerAPI;
+use Piwik\Session;
+use Piwik\Session\SessionAuth;
+use Piwik\Session\SessionFingerprint;
 
 /**
  * @group LoginLdap
@@ -166,4 +169,33 @@ public function test_WebServerAuth_Fails_IfDomainNotStrippedCorrectly()
         $authResult = $ldapAuth->authenticate();
         $this->assertEquals(AuthResult::FAILURE, $authResult->getCode());
     }
+
+    /**
+     * @runInSeparateProcess
+     */
+    public function test_WebServerAuth_CreatesReusableAuthenticatedSession()
+    {
+        Config::getInstance()->LoginLdap['use_webserver_auth'] = 1;
+
+        Session::start();
+        $originalSessionId = session_id();
+
+        $_SERVER['REMOTE_USER'] = self::TEST_LOGIN;
+
+        $ldapAuth = WebServerAuth::makeConfigured();
+        $authResult = $ldapAuth->authenticate();
+
+        $this->assertEquals(AuthResult::SUCCESS, $authResult->getCode());
+        $this->assertNotSame($originalSessionId, session_id());
+
+        $sessionFingerprint = new SessionFingerprint();
+        $this->assertEquals(self::TEST_LOGIN, $sessionFingerprint->getUser());
+        $this->assertSame($authResult->getTokenAuth(), $sessionFingerprint->getSessionTokenAuth());
+
+        $sessionAuth = new SessionAuth(null, false);
+        $sessionAuthResult = $sessionAuth->authenticate();
+
+        $this->assertEquals(AuthResult::SUCCESS, $sessionAuthResult->getCode());
+        $this->assertSame(self::TEST_LOGIN, $sessionAuthResult->getIdentity());
+    }
 }