[dev] Auth driver : validateAuth false and imp still try to login to Imap

Michael M Slusarz slusarz at horde.org
Mon Mar 9 17:59:48 UTC 2015

Quoting Ralf Lang <lang at b1-systems.de>:

> On 06.03.2015 17:26, SSRI wrote:
>> Hi,
>> We use a custom authentication backend and have implemented a
>> validateAuth() function.
>> When validateAuth() returns false, we have noticed that imp still try to
>> login to our IMAP server 3 times before user is logged out.
>> Why user isn't disconnected immediatly after the first time
>> validateAuth() returns false ?
> The Imap code stores a cached copy of the credentials used during login.
> Last time I worked in this area in 2013, there was no way of notifying
> this storage about changed credentials.

That's a different issue - namely dealing with changing credentials.

validateAuth() deals with authentication checks that are independent  
of credential checking.

validateAuth() should immediately terminate any authentication  
process.  So that would be a bug.  However, it is suspicious that  
validateAuth() would fail *AND* the stored credentials didn't work.   
If that is the case, it sounds like some process has changed the  
IMAP/POP3 authentication.  In which case, validateAuth() should return  
true since that has nothing to do with credential checking.  (in other  
words, this sounds like what Ralf reports - you can't change  
authentication credentials during a session without destroying the  
session.  This is not an issue with Horde's design though - it's the  
same reason you inevitably need to log out of any  
application/website/etc. when changing your password/authentication)


Michael Slusarz [slusarz at horde.org]

More information about the dev mailing list