[dev] Auth driver : validateAuth false and imp still try to login to Imap
ssri_abo at u-paris2.fr
Wed Mar 11 14:33:34 UTC 2015
Michael M Slusarz <slusarz at horde.org> a écrit :
> Quoting Ralf Lang <lang at b1-systems.de>:
>> On 06.03.2015 17:26, SSRI wrote:
>>> We use a custom authentication backend and have implemented a
>>> validateAuth() function.
>>> When validateAuth() returns false, we have noticed that imp still try to
>>> login to our IMAP server 3 times before user is logged out.
>>> Why user isn't disconnected immediatly after the first time
>>> validateAuth() returns false ?
>> The Imap code stores a cached copy of the credentials used during login.
>> Last time I worked in this area in 2013, there was no way of notifying
>> this storage about changed credentials.
> That's a different issue - namely dealing with changing credentials.
> validateAuth() deals with authentication checks that are independent
> of credential checking.
> validateAuth() should immediately terminate any authentication
> process. So that would be a bug. However, it is suspicious that
> validateAuth() would fail *AND* the stored credentials didn't work.
> If that is the case, it sounds like some process has changed the
> IMAP/POP3 authentication.
We use a credential cache mechanism on our IMAP server. When the
credentials are deleted from the cache, IMAP authentication is refused
: the stored credentials from Horde doesn't work *AND* validateAuth()
fail - as credentials are considered expired.
We try to use validateAuth() the same way it is used in the Shibboleth driver.
> In which case, validateAuth() should return true since that has
> nothing to do with credential checking. (in other words, this
> sounds like what Ralf reports - you can't change authentication
> credentials during a session without destroying the session. This
> is not an issue with Horde's design though - it's the same reason
> you inevitably need to log out of any application/website/etc. when
> changing your password/authentication)
> Michael Slusarz [slusarz at horde.org]
> dev mailing list
> Frequently Asked Questions: http://wiki.horde.org/FAQ
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org
More information about the dev