[Tickets #9438] Re: authentication fails via syncml
bugs at horde.org
bugs at horde.org
Mon Mar 7 15:35:21 UTC 2011
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/9438
------------------------------------------------------------------------------
Ticket | 9438
Updated By | logan.owen at gmail.com
Summary | authentication fails via syncml
Queue | Synchronization
Version | Git master
Type | Bug
State | Feedback
Priority | 2. Medium
Milestone | 4.0
Patch | 1
Owners | Jan Schneider
------------------------------------------------------------------------------
logan.owen at gmail.com (2011-03-07 15:35) wrote:
Jan,
We still need the change to _checkAuthentication(). The reason for it
is in the patch I sent, but basically the Horde authentication backend
creates a new session id upon successful authentication. This is
standard good practice to avoid "session fixation", but unfortunately
SyncML relies on session fixation, because the client specifies the
session id, and the server has no way to request a new id.
So, you have to store the session id before authentication and reset
it after, unless you want to update the authentication backend to add
a parameter to suppress session regeneration.
-- Logan
More information about the bugs
mailing list