[dev] Authentication session data cleaned by Kronolith
SSRI
ssri_abo at u-paris2.fr
Wed Jun 19 12:01:06 UTC 2013
>>>
>>>> Hi,
>>>>
>>>> In _setAuth() function ( Horde/Core/Auth/Application.php ), Horde
>>>> destroys any existing php session on login. Using transparent
>>>> authentication, Horde authenticates correctly. But, when
>>>> Kronolith try to authenticate, it destroys any existing php
>>>> session. However, we store our authentication status in php
>>>> session data which is destroyed by Kronolith ...
>>>
>>> What does this have to do with Kronolith?
>>>
>>
>> Logs indicates that Kronolith is the application that executes this
>> part of sethAuth() calls after successfull Horde/IMP authentication :
>>
>> /* Destroy any existing session on login and make sure to use a
>> * new session ID, to avoid session fixation issues. */
>> if (($userId = $registry->getAuth()) === false) {
>> $GLOBALS['session']->clean();
>> $userId = $this->getCredential('userId');
>> }
>>
>>>> Is there a way to avoid Horde to destroy any existing php session data ?
>>>
>>> How do you store this information in the session?
>>
>> $_SESSION inside a customized auth driver.
>
> This won't work period. The session MUST be recreated after logging
> in for security reasons. You need to use Horde_Auth's options to set
> session credentials. You can add values to the authentication
> driver's $_credentials hash property for example, from inside the
> transparent() method, if you driver provides transparent
> authentication.
We already use Horde_Auth's options to set session credentials. The
problem arises with validateAuth() function which checks $_SESSION
variables settled by the auth driver itself ( by verifying if external
auth is still valid or not ). Is it possible to avoid Horde to destroy
authentication informations settled by an auth driver ? If not, has
the auth driver to create a new session each time validateAuth() is
executed ?
More information about the dev
mailing list