[dev] Session timeouts and transparent authentication drivers

[Jan Schneider]

Zitat von Michael M Slusarz <slusarz at horde.org>:

> Quoting Jan Schneider <jan at horde.org>:
>
>> While looking for a solution how to log out when using transparent  
>> auth drivers, I discovered that we obviously don't use the  
>> REASON_SESSION logout reason anymore, beside in the ajax endpoint.  
>> Is that intentional, or an oversight?
>
> Sounds like an oversight.
>
>> Beside that, I'm still looking for how to best check whether  
>> transparent authentication (or any authentication for that matter)  
>> could be revoked. Currently, the user keeps logged in to Horde,  
>> once he successfull logged in and the session doesn't time out.  
>> There might be reasons to force a log out though. In this special  
>> case, we need to logout the user out of his horde session, as soon  
>> as the transparent "reason" for logging him in, is no longer valid.  
>> E.g. if a shibboleth session has expired.
>> Any ideas how to best do this? Adding a checkExistingAuth() to  
>> Horde_Auth_Base seems a good place for that.
>
> I would think we would want to mark the given Auth driver with a  
> flag that indicates that authentication could be revoked - this  
> would allow the backends that won't ever be revoked (i.e. a straight  
> password login) to avoid the overhead of checking the auth on every  
> access.

Isn't Horde_Auth::checkExistingAuth() called on every request anyway?  
It does the IP/browser checks. If we define an empty  
checkExistingAuth() in Horde_Auth_Base, it shouldn't be more overhead  
to call this, than checking whether such a feature exists in the  
current driver.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/