[dev] Authentication session data cleaned by Kronolith

Jan Schneider jan at horde.org
Thu Jun 20 13:09:29 UTC 2013 

Zitat von SSRI <ssri_abo at u-paris2.fr>:

>>>>>> Hi,
>>>>>>
>>>>>> In _setAuth() function ( Horde/Core/Auth/Application.php ),  
>>>>>> Horde destroys any existing php session on login. Using  
>>>>>> transparent authentication, Horde authenticates correctly. But,  
>>>>>> when Kronolith try to authenticate, it destroys any existing  
>>>>>> php session. However, we store our authentication status in php  
>>>>>> session data which is destroyed by Kronolith ...
>>>>>
>>>>> What does this have to do with Kronolith?
>>>>>
>>>>
>>>> Logs indicates that Kronolith is the application that executes  
>>>> this part of sethAuth() calls after successfull Horde/IMP  
>>>> authentication :
>>>>
>>>>     /* Destroy any existing session on login and make sure to use a
>>>>      * new session ID, to avoid session fixation issues. */
>>>>     if (($userId = $registry->getAuth()) === false) {
>>>>         $GLOBALS['session']->clean();
>>>>         $userId = $this->getCredential('userId');
>>>>     }
>>>>
>>>>>> Is there a way to avoid Horde to destroy any existing php session data ?
>>>>>
>>>>> How do you store this information in the session?
>>>>
>>>> $_SESSION inside a customized auth driver.
>>>
>>> This won't work period. The session MUST be recreated after  
>>> logging in for security reasons. You need to use Horde_Auth's  
>>> options to set session credentials. You can add values to the  
>>> authentication driver's $_credentials hash property for example,  
>>> from inside the transparent() method, if you driver provides  
>>> transparent authentication.
>>
>> We already use Horde_Auth's options to set session credentials. The  
>> problem arises with validateAuth() function which checks $_SESSION  
>> variables settled by the auth driver itself ( by verifying if  
>> external auth is still valid or not ). Is it possible to avoid  
>> Horde to destroy authentication informations settled by an auth  
>> driver ? If not, has the auth driver to create a new session each  
>> time validateAuth() is executed ?
>>
>>
>
> When validateAuth() function checks $_SESSION settled by the auth  
> driver, the following error occurs :"IMP is marked as authenticated,  
> but no credentials can be found in the session." Disabling  
> validateAuth(), authentication works fine.

Again: you must not write directly to $_SESSION. This is how it works  
correctly:

In __construct(), write away the information you receive from your  
custom authentication backend, and what else you want to store in the  
session:

     public function __construct(array $params = array())
     {
         parent::__construct($params);
         $this->_credentials['userId'] = 'username';
         $this->_credentials['credentials'] = array(
             'password' => 'password',
             'transparent' => true,
             'arbitrary_stuff' => 'xyz',
         );
     }

Implement transparent() or _authenticate() at your will. Then, in  
validateAuth():

     public function validateAuth()
     {
         return $GLOBALS['registry']->getAuthCredential('sessionid') == 'xyz'
     }

-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the dev mailing list