[dev] Session timeouts and transparent authentication drivers
Michael M Slusarz
slusarz at horde.org
Fri May 14 18:09:40 UTC 2010
Quoting Jan Schneider <jan at horde.org>:
> While looking for a solution how to log out when using transparent
> auth drivers, I discovered that we obviously don't use the
> REASON_SESSION logout reason anymore, beside in the ajax endpoint.
> Is that intentional, or an oversight?
Sounds like an oversight.
> Beside that, I'm still looking for how to best check whether
> transparent authentication (or any authentication for that matter)
> could be revoked. Currently, the user keeps logged in to Horde, once
> he successfull logged in and the session doesn't time out. There
> might be reasons to force a log out though. In this special case, we
> need to logout the user out of his horde session, as soon as the
> transparent "reason" for logging him in, is no longer valid. E.g. if
> a shibboleth session has expired.
> Any ideas how to best do this? Adding a checkExistingAuth() to
> Horde_Auth_Base seems a good place for that.
I would think we would want to mark the given Auth driver with a flag
that indicates that authentication could be revoked - this would allow
the backends that won't ever be revoked (i.e. a straight password
login) to avoid the overhead of checking the auth on every access.
michael
--
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list