[horde] problems w/ SSO logins joining a session already in progress

liamr@umich.edu liamr at umich.edu
Tue Sep 19 13:29:12 PDT 2006


We've recently discovered a problem in our installation.


userA  go to webmail
        click on the Login button
        enter uniqname/password in the weblogin screen
        view mail
        go to directory.umich.edu or some other cosign site and log out
        leave the PC and do not close the browser

userB  using the same PC as userA
        go to webmail
        click on the Login button
        enter uniqname/password in the weblogin screen
        view userA's mail

If the user doesn't log out using the logout link inside of Horde / 
IMP, none of the horde cookies are removed.  Since all of the Horde and 
IMP cookies are still set to valid values, userB isn't sent through the 
normal horde login stuff, and basically picks up userA's session 
already in progress.

Our SSO sets $_SERVER['REMOTE_USER'] to the name of the person logged 
in.  I've attached the Horde authentication script we're using.  It's 
based on the "auto" authenticator.  What we're running into is a 
situation where $_SESSION['__auth']['userId'] != 
$_SERVER['REMOTE_USER'].

I'm trying to figure out how and where to fix this.

I tried adding an auto prepend that does...

  include( "/usr/local/webmail/html-ssl/horde/lib/base.php" );        
if( isset( $_SESSION[ '__auth' ][ 'userId' ] )) {        if( $_SESSION[ 
'__auth' ][ 'userId' ] != $_SERVER[ 'REMOTE_USER' ] ){             
print( 'We have a problem.<hr>' );
            setcookie( 'Horde', NULL );
            setcookie( 'auth_key', NULL );
            setcookie( 'imp_key', NULL );
            setcookie( 'PHPSESSID', NULL );
        }
    }
  exit;

which doesn't work.... I tried adding a

  header( 'Location: /' );

inside the control structure, which also didn't work.

I also tried replacing the setcookie stuff with Horde::getCleanSession, 
which really didn't work.  In most cases, I get neat urls like..

https://test-mail.www.umich.edu/horde/login.php?url=%2Fhorde%2Flogin.php%3Furl%3D%252Fhorde%252Flogin.php%253Furl%253D%25252Fhorde%25252Flogin.php%25253Furl%25253D%2525252Fhorde%2525252Flogin.php%2525253Furl%2525253D%252525252Fhorde%252525252Flogin.php%252525253Furl%252525253D%25252525252Fhorde%25252525252Flogin.php%25252525253Furl%25252525253D%2525252525252Fhorde%2525252525252Flogin.php%2525252525253Furl%2525252525253D%252525252525252Fhorde%252525252525252Flogin.php%252525252525253Furl%252525252525253D%25252525252525252Fhorde%25252525252525252Flogin.php%25252525252525253Furl%25252525252525253D%2525252525252525252Fhorde%2525252525252525252Flogin.php%2525252525252525253Furl%2525252525252525253D%252525252525252525252Fhorde%252525252525252525252Flogin.php%252525252525252525253Furl%252525252525252525253D%25252525252525252525252Fhorde%25252525252525252525252Flogin.php%25252525252525252525253Furl%25252525252525252525253D%2525252525252525252525252Fhorde%2525252525252525252525252Flo!
 gin.php%2525252525252525252525253Furl%2525252525252525252525253D%252525252525252525252525252Fhorde%252525252525252525252525252Flogin.php%252525252525252525252525253Furl%252525252525252525252525253D%25252525252525252525252525252Fhorde%25252525252525252525252525252Flogin.php%25252525252525252525252525253Furl%25252525252525252525252525253D%2525252525252525252525252525252Fhorde%2525252525252525252525252525252Flogin.php%2525252525252525252525252525253Furl%2525252525252525252525252525253D%252525252525252525252525252525252Fhorde%252525252525252525252525252525252Fimp%252525252525252525252525252525252Findex.php

I've tried adding it to the templates/common-header.inc, still no go.

I can see it being an issue for any horde installation that uses SSO 
and doesn't require people to logout through horde to actually log out 
of the SSO.

this is a huge problem for us and I could really use some suggestions.

thanks!

liam
-------------- next part --------------
<?php
/**
 * The Auth_cosign class transparently logs users in to Horde using 
 * $_SERVER[ 'REMOTE_USER' ], which is automatically set by mod_cosign.
 *
 * Optional parameters:
 * ====================
 *   'requestuser'  --  If true, allow username to be passed by GET, POST
 *                      or cookie.
 *
 *
 * $Horde: framework/Auth/Auth/cosign.php,v 1.1 2004/11/22 11:29:11 liamr Exp $
 *
 * Copyright 2004 Liam Hoekenga <liamr at umich.edu>
 *
 * See the enclosed file COPYING for license information (LGPL). If you
 * did not receive this file, see http://www.fsf.org/copyleft/lgpl.html.
 *
 * @author  Liam Hoekenga <liamr at umiche.du>
 * @version $Revision: 1.4 $
 * @since   Horde 3.0
 * @package Horde_Auth
 */
class Auth_cosign extends Auth {

    /**
     * An array of capabilities, so that the driver can report which
     * operations it supports and which it doesn't.
     *
     * @var array $capabilities
     */
    var $capabilities = array('add'           => false,
                              'update'        => false,
                              'resetpassword' => false,
                              'remove'        => false,
                              'list'          => false,
                              'transparent'   => true);

    /**
     * Constructs a new Automatic authentication object.
     *
     * @access public
     *
     * @param optional array $params  A hash containing parameters.
     */
    function Auth_cosign($params = array())
    {
        $this->_setParams($params);
    }

    /**
     * Set parameters for the Auth_cosign object.
     *
     * @access private
     *
     * @param array $params  Parameters. None currently required,
     *                       'username' is optional.
     */
    function _setParams($params)
    {
        if (!isset($params['username'])) {
            if ( !isset( $_SERVER['REMOTE_USER'] )) {
                $params['username'] = 'GuestUser';
            } else {
                $params['username'] = $_SERVER['REMOTE_USER'];
            }
        }
        $this->_params = $params;
    }

    /**
     * Automatic authentication: Set the user
     * allowed IP block.
     *
     * @access public
     *
     * @return boolean  Whether or not the client is allowed.
     */
    function transparent()
    {
        $username = (!empty($this->_params['requestuser']) && isset($_REQUEST['username'])) ? 
                     $_REQUEST['username'] : 
                     $this->_params['username'];
        $this->setAuth($username,
                       array('password' => $username,
			     'transparent' => 1));
        return true;
    }

}


More information about the horde mailing list