[horde] Session expiration when IP is changing
Anton Köstlbacher
horde3 at dingsbums.org
Thu Jan 16 12:38:08 UTC 2014
Am 15.01.2014 16:24, schrieb Michael J Rubinsky:
>
> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>
>> Am 13.01.2014 20:33, schrieb Michael M Slusarz:
>>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>>
>>>> Am 29.10.2013 21:50, schrieb Michael M Slusarz:
>>>>> Quoting Michael M Slusarz <slusarz at horde.org>:
>>>>>
>>>>>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> the behaviour when my dynamic IP address changes at midnight has
>>>>>>> changed. I'm using Horde Groupware 5.1.2.
>>>>>>>
>>>>>>> I always had $conf[auth][checkip] enabled and it did log me out
>>>>>>> correctly. Now AJAX requests are still executed (like refreshing the
>>>>>>> mailbox pane), even after my IP changed. Horde only logs me out,
>>>>>>> when
>>>>>>> I click on a link which reloads the page completly.
>>>>>>>
>>>>>>> Can anyone confirm this?
>>>>>>
>>>>>> Yes. This commit broke all permission/authentication valid checks
>>>>>> for
>>>>>> AJAX (by broke I mean these no longer are done on an AJAX request):
>>>>>>
>>>>>> commit 9664382ee6550dd91db57c713de1b85bde630576
>>>>>> Author: Ralf Lang <lang at b1-systems.de>
>>>>>> Date: Fri Aug 16 06:46:26 2013 +0200
>>>>>>
>>>>>> fix broken unauthenticated calls for $_external handler methods
>>>>>> For all other handler methods, ajax.php does checking for the
>>>>>> session key later on
>>>>>>
>>>>>> diff --git a/horde/services/ajax.php b/horde/services/ajax.php
>>>>>> index 601fb9a..c8070ce 100644
>>>>>> --- a/horde/services/ajax.php
>>>>>> +++ b/horde/services/ajax.php
>>>>>> @@ -30,7 +30,7 @@ if (empty($action)) {
>>>>>> }
>>>>>>
>>>>>> try {
>>>>>> - Horde_Registry::appInit($app);
>>>>>> + Horde_Registry::appInit($app, array('authentication' =>
>>>>>> 'none'));
>>>>>> } catch (Horde_Exception_AuthenticationFailure $e) {
>>>>>> $response = new
>>>>>> Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
>>>>>> $response->sendAndExit();
>>>>>>
>>>>>>
>>>>>> There's a chicken/egg problem here, since we can't check whether the
>>>>>> given AJAX action is an allowable non-authenticated action or not
>>>>>> until Horde is initialized.
>>>>>>
>>>>>> I notice that RPC calls (rpc.php) uses a technique whereby they
>>>>>> switch
>>>>>> authentication state halfway through the script. But that is VERY
>>>>>> undesirable, since it requires the entire registry cache to be
>>>>>> reinitialized (including autoloading), which is a heavy load for AJAX
>>>>>> request - since most WILL require authentication.
>>>>>>
>>>>>> So we need a different solution. I'm thinking we try to initialize
>>>>>> the app with authentication. If that fails, we fall back to a
>>>>>> non-authenticated access. Later, the latter will only allow calls to
>>>>>> externally-defined AJAX requests or else it will error out.
>>>>>
>>>>> This is fixed with Horde 5.1.6/Horde_Core 2.11.0
>>>>>
>>>>> michael
>>>>>
>>>>> ___________________________________
>>>>> Michael Slusarz [slusarz at horde.org]
>>>>>
>>>>
>>>> Hi Michael,
>>>>
>>>> the problem still exists with Horde 5.1.5/Horde_Core 2.11.1. I would
>>>> consider this a quite severe security issue. What is your schedule for
>>>> the fix? Thanks in advance!
>>>
>>> Works fine here.
>>>
>>> michael
>>>
>>> ___________________________________
>>> Michael Slusarz [slusarz at horde.org]
>>>
>>
>> Hi Michael,
>>
>> for me AJAX requests still work although my IP has changed after
>> authentication. This shouldn't be the case with $conf[auth][checkip]
>> enabled. What could be wrong? Horde Webmail is up to date.
>
> Can you provide an example as to which Ajax requests are still working?
Load arbitrary mail in bottom pane:
https://www.webmail.zz/webmail/services/ajax.php/imp/showMessage
Scroll down in top pane or search:
https://www.webmail.zz/webmail/services/ajax.php/imp/viewPort
Refresh Folderlist:
https://www.webmail.zz/webmail/services/ajax.php/imp/listMailboxes
Refresh top pane (automatic refreh of the top Pane also works):
https://www.webmail.zz/webmail/services/ajax.php/imp/poll
https://www.webmail.zz/webmail/services/ajax.php/horde/topbarUpdate
Afterwards I reloaded the page to proof if the session really has
expired. As expected I was redirected to the login screen.
More information about the horde
mailing list