[dev] Authentication session data cleaned by Kronolith

[Jan Schneider]

Zitat von SSRI <ssri_abo at u-paris2.fr>:

> Jan Schneider <jan at horde.org> a écrit :
>
>> Zitat von SSRI <ssri_abo at u-paris2.fr>:
>>
>>> Hi,
>>>
>>> In _setAuth() function ( Horde/Core/Auth/Application.php ), Horde  
>>> destroys any existing php session on login. Using transparent  
>>> authentication, Horde authenticates correctly. But, when Kronolith  
>>> try to authenticate, it destroys any existing php session.  
>>> However, we store our authentication status in php session data  
>>> which is destroyed by Kronolith ...
>>
>> What does this have to do with Kronolith?
>>
>
> Logs indicates that Kronolith is the application that executes this  
> part of sethAuth() calls after successfull Horde/IMP authentication :
>
>         /* Destroy any existing session on login and make sure to use a
>          * new session ID, to avoid session fixation issues. */
>         if (($userId = $registry->getAuth()) === false) {
>             $GLOBALS['session']->clean();
>             $userId = $this->getCredential('userId');
>         }
>
>>> Is there a way to avoid Horde to destroy any existing php session data ?
>>
>> How do you store this information in the session?
>
> $_SESSION inside a customized auth driver.

This won't work period. The session MUST be recreated after logging in  
for security reasons. You need to use Horde_Auth's options to set  
session credentials. You can add values to the authentication driver's  
$_credentials hash property for example, from inside the transparent()  
method, if you driver provides transparent authentication.
-- 
Jan Schneider
The Horde Project
http://www.horde.org/