[dev] Authentication session data cleaned by Kronolith

SSRI ssri_abo at u-paris2.fr
Wed Jun 19 12:01:06 UTC 2013


>>>
>>>> Hi,
>>>>
>>>> In _setAuth() function ( Horde/Core/Auth/Application.php ), Horde  
>>>> destroys any existing php session on login. Using transparent  
>>>> authentication, Horde authenticates correctly. But, when  
>>>> Kronolith try to authenticate, it destroys any existing php  
>>>> session. However, we store our authentication status in php  
>>>> session data which is destroyed by Kronolith ...
>>>
>>> What does this have to do with Kronolith?
>>>
>>
>> Logs indicates that Kronolith is the application that executes this  
>> part of sethAuth() calls after successfull Horde/IMP authentication :
>>
>>       /* Destroy any existing session on login and make sure to use a
>>        * new session ID, to avoid session fixation issues. */
>>       if (($userId = $registry->getAuth()) === false) {
>>           $GLOBALS['session']->clean();
>>           $userId = $this->getCredential('userId');
>>       }
>>
>>>> Is there a way to avoid Horde to destroy any existing php session data ?
>>>
>>> How do you store this information in the session?
>>
>> $_SESSION inside a customized auth driver.
>
> This won't work period. The session MUST be recreated after logging  
> in for security reasons. You need to use Horde_Auth's options to set  
> session credentials. You can add values to the authentication  
> driver's $_credentials hash property for example, from inside the  
> transparent() method, if you driver provides transparent  
> authentication.

We already use Horde_Auth's options to set session credentials. The  
problem arises with validateAuth() function which checks $_SESSION  
variables settled by the auth driver itself ( by verifying if external  
auth is still valid or not ). Is it possible to avoid Horde to destroy  
authentication informations settled by an auth driver ? If not, has  
the auth driver to create a new session each time validateAuth() is  
executed ?




More information about the dev mailing list