FW: [dev] Single Sign-On

Thomas Fichtenbauer thomas.fichtenbauer@mamilade.at
Mon Nov 18 04:40:19 2002


> I assume that inner call should be $auth->transparent()?
> What you have there is infinite recursion.
Yes, true. $auth->transparent() is better.

> This adds a fair amount of overhead to Auth::getAuth(),
> unfortunately.
I know, and I did not like the thought either.

> Why don't you just have your PHP sessions expire after
> 30 minutes (or whatever your other auth system times
> out after)?

For example: The user logs into the Java application which has a
session timeout set to 30 minutes. The PHP-Session has it's timeout
set to 30 minutes as well. After the login our user changes to Horde
and works there continuously for 35 minutes not touching the
Java app. By this time the session at Java is already destroyed.
The moment he touches any Java app. page he gets the
"Sorry, session expired" message.

So the PHP-session must expire much sooner. This is why I use 5
minutes. The timeout range the user my experience in any case
is 25 to 30 minutes then.

But your hint of simply letting the sessions expire will
probably work, as long as no user settings or other data
is stored in the session variables. To let the session
expire will change the cookie and reset all variables.
But this should be OK if all preferences are saved to the
backend database.

It would save overhead for the Auth:getAuth() call, however
I am not really happy with that. Is there a situation
where the user may loose other data?

Chuck, I just saw that I writing to you directly, not to the
list. Fine with me, but would you prefer to discuss that on
the list?

thomas

-----Original Message-----
From: Chuck Hagenbuch [mailto:chuck@horde.org]
Sent: Montag, 18. November 2002 03:42
To: thomas.fichtenbauer@mamilade.at
Subject: RE: [dev] Single Sign-On


Quoting Thomas Fichtenbauer <thomas.fichtenbauer@mamilade.at>:

> I would suggest something like:
>
>     function getAuth()
>     {
>         global $conf;
>         $auth = &Auth::singleton($conf['auth']['driver']);
>         if ($auth->hasCapability('transparent') {
> 		$auth->getAuth();
>         }
>
>         if (array_key_exists('__auth', $_SESSION)) {
>             if (!empty($_SESSION['__auth']['authenticated']) &&
>                 !empty($_SESSION['__auth']['userID'])) {
>                 return $_SESSION['__auth']['userID'];
>             }
>         }
>
>         return false;
>     }
>
> This way the auth-extension is free to handle all the checks
> needed, including the timeout issues. And the code in Auth.php
> is simple enough for all the others not to make mistakes.
>
> What do you think? Would you accept such a change?

I assume that inner call should be $auth->transparent()? What you have there
is infinite recursion.

This adds a fair amount of overhead to Auth::getAuth(), unfortunately. Why
don't you just have your PHP sessions expire after 30 minutes (or whatever
your other auth system times out after)?

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"People ask me all the time what it will be like living without otters."
 - Google, thanks to Harpers



More information about the dev mailing list