[dev] Authentication session data cleaned by Kronolith

SSRI ssri_abo at u-paris2.fr
Thu Jun 20 12:39:14 UTC 2013 

>>>>> Hi,
>>>>>
>>>>> In _setAuth() function ( Horde/Core/Auth/Application.php ),  
>>>>> Horde destroys any existing php session on login. Using  
>>>>> transparent authentication, Horde authenticates correctly. But,  
>>>>> when Kronolith try to authenticate, it destroys any existing php  
>>>>> session. However, we store our authentication status in php  
>>>>> session data which is destroyed by Kronolith ...
>>>>
>>>> What does this have to do with Kronolith?
>>>>
>>>
>>> Logs indicates that Kronolith is the application that executes  
>>> this part of sethAuth() calls after successfull Horde/IMP  
>>> authentication :
>>>
>>>      /* Destroy any existing session on login and make sure to use a
>>>       * new session ID, to avoid session fixation issues. */
>>>      if (($userId = $registry->getAuth()) === false) {
>>>          $GLOBALS['session']->clean();
>>>          $userId = $this->getCredential('userId');
>>>      }
>>>
>>>>> Is there a way to avoid Horde to destroy any existing php session data ?
>>>>
>>>> How do you store this information in the session?
>>>
>>> $_SESSION inside a customized auth driver.
>>
>> This won't work period. The session MUST be recreated after logging  
>> in for security reasons. You need to use Horde_Auth's options to  
>> set session credentials. You can add values to the authentication  
>> driver's $_credentials hash property for example, from inside the  
>> transparent() method, if you driver provides transparent  
>> authentication.
>
> We already use Horde_Auth's options to set session credentials. The  
> problem arises with validateAuth() function which checks $_SESSION  
> variables settled by the auth driver itself ( by verifying if  
> external auth is still valid or not ). Is it possible to avoid Horde  
> to destroy authentication informations settled by an auth driver ?  
> If not, has the auth driver to create a new session each time  
> validateAuth() is executed ?
>
>

When validateAuth() function checks $_SESSION settled by the auth  
driver, the following error occurs :"IMP is marked as authenticated,  
but no credentials can be found in the session." Disabling  
validateAuth(), authentication works fine.

More information about the dev mailing list