FW: [dev] Single Sign-On
Thomas Fichtenbauer
thomas.fichtenbauer@mamilade.at
Mon Nov 18 04:39:25 2002
> It is for backends suth as Auth_ipbasic and Auth_http that use
> existing authentication to transparently log a user on to Horde.
Great work - this is very close to what I implemented yesterday.
If I had seen your new Auth.php I would have saved 5 days
of work (my fault). However, good to be confirmed that you think
very similar. I had doubts if you would ever accept changes in
Auth.php since it is a very basic script.
But there is still a feature missing I need for our
implementation: the timeout. The current Auth::getAuth() is:
function getAuth()
{
if (array_key_exists('__auth', $_SESSION)) {
if (!empty($_SESSION['__auth']['authenticated']) &&
!empty($_SESSION['__auth']['userID'])) {
return $_SESSION['__auth']['userID'];
}
}
// Try transparent authentication now.
global $conf;
$auth = &Auth::singleton($conf['auth']['driver']);
if ($auth->hasCapability('transparent') &&
$auth->transparent()) {
return $_SESSION['__auth']['userID'];
}
return false;
}
This is good for a one-time logon. So for example: if the user
is logged into System A and now changes to Horde, then Horde will
check for $auth->transparent() (assuming the appropriate Auth-
extension is set) to log into Horde the first time. From now on
each call to Auth::getAuth() is answered using the session
variables without touching the extension.
The problem is: we have a timeout for the session maintained in
the leading non-Horde (Java) application (set to 30 minutes, but
this is not important). So if our visitor is using Horde for more
than 30 minutes and then calls a page of the Java application
she/he will be redirected to the login screen.
The way I have solved it is to use another call to the
authentication instance to check for a Horde-validation-timeout
each time Auth::getAuth() is called. This opens a way to touch
the Java-session periodically (think of 5 minutes or so)
and that way keep the timeout there up to date.
To follow up on the code-example above this would look
something like:
function getAuth()
{
$auth = /* create auth instance here */
if (array_key_exists('__auth', $_SESSION) $$
!$auth->checkTimeout()) {
if (!empty($_SESSION['__auth']['authenticated']) &&
!empty($_SESSION['__auth']['userID'])) {
return $_SESSION['__auth']['userID'];
}
}
// Try transparent authentication now.
if ($auth->transparent()) {
return $_SESSION['__auth']['userID'];
}
return false;
}
Something like this is good for an application where
transparent authentication is used *all the time*. But I would
not accept it into the main source tree: too error-prone for
most users.
I would suggest something like:
function getAuth()
{
global $conf;
$auth = &Auth::singleton($conf['auth']['driver']);
if ($auth->hasCapability('transparent') {
$auth->getAuth();
}
if (array_key_exists('__auth', $_SESSION)) {
if (!empty($_SESSION['__auth']['authenticated']) &&
!empty($_SESSION['__auth']['userID'])) {
return $_SESSION['__auth']['userID'];
}
}
return false;
}
This way the auth-extension is free to handle all the checks
needed, including the timeout issues. And the code in Auth.php
is simple enough for all the others not to make mistakes.
What do you think? Would you accept such a change?
thomas
thomas.fichtenbauer@mamilade.at
-----Original Message-----
From: dev-bounces@lists.horde.org [mailto:dev-bounces@lists.horde.org]On
Behalf Of Chuck Hagenbuch
Sent: Samstag, 16. November 2002 18:00
To: dev@lists.horde.org
Subject: Re: [dev] Single Sign-On
Quoting Thomas Fichtenbauer <thomas.fichtenbauer@mamilade.at>:
> My question: there is a parameter called 'transparent' in the Auth.php
> $capabilities array. What was the intended use of it?
It is for backends suth as Auth_ipbasic and Auth_http that use existing
authentication to transparently log a user on to Horde. See those two for
examples.
-chuck
--
Charles Hagenbuch, <chuck@horde.org>
"People ask me all the time what it will be like living without otters."
- Google, thanks to Harpers
--
Horde developers mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: dev-unsubscribe@lists.horde.org
More information about the dev
mailing list