[dev] Auth driver : validateAuth false and imp still try to login to Imap
Michael M Slusarz
slusarz at horde.org
Mon Mar 9 17:59:48 UTC 2015
Quoting Ralf Lang <lang at b1-systems.de>:
> On 06.03.2015 17:26, SSRI wrote:
>> We use a custom authentication backend and have implemented a
>> validateAuth() function.
>> When validateAuth() returns false, we have noticed that imp still try to
>> login to our IMAP server 3 times before user is logged out.
>> Why user isn't disconnected immediatly after the first time
>> validateAuth() returns false ?
> The Imap code stores a cached copy of the credentials used during login.
> Last time I worked in this area in 2013, there was no way of notifying
> this storage about changed credentials.
That's a different issue - namely dealing with changing credentials.
validateAuth() deals with authentication checks that are independent
of credential checking.
validateAuth() should immediately terminate any authentication
process. So that would be a bug. However, it is suspicious that
validateAuth() would fail *AND* the stored credentials didn't work.
If that is the case, it sounds like some process has changed the
IMAP/POP3 authentication. In which case, validateAuth() should return
true since that has nothing to do with credential checking. (in other
words, this sounds like what Ralf reports - you can't change
authentication credentials during a session without destroying the
session. This is not an issue with Horde's design though - it's the
same reason you inevitably need to log out of any
application/website/etc. when changing your password/authentication)
Michael Slusarz [slusarz at horde.org]
More information about the dev