[horde] problems w/ SSO logins joining a session already in progress
liamr@umich.edu
liamr at umich.edu
Tue Sep 19 13:29:12 PDT 2006
We've recently discovered a problem in our installation.
userA go to webmail
click on the Login button
enter uniqname/password in the weblogin screen
view mail
go to directory.umich.edu or some other cosign site and log out
leave the PC and do not close the browser
userB using the same PC as userA
go to webmail
click on the Login button
enter uniqname/password in the weblogin screen
view userA's mail
If the user doesn't log out using the logout link inside of Horde /
IMP, none of the horde cookies are removed. Since all of the Horde and
IMP cookies are still set to valid values, userB isn't sent through the
normal horde login stuff, and basically picks up userA's session
already in progress.
Our SSO sets $_SERVER['REMOTE_USER'] to the name of the person logged
in. I've attached the Horde authentication script we're using. It's
based on the "auto" authenticator. What we're running into is a
situation where $_SESSION['__auth']['userId'] !=
$_SERVER['REMOTE_USER'].
I'm trying to figure out how and where to fix this.
I tried adding an auto prepend that does...
include( "/usr/local/webmail/html-ssl/horde/lib/base.php" );
if( isset( $_SESSION[ '__auth' ][ 'userId' ] )) { if( $_SESSION[
'__auth' ][ 'userId' ] != $_SERVER[ 'REMOTE_USER' ] ){
print( 'We have a problem.<hr>' );
setcookie( 'Horde', NULL );
setcookie( 'auth_key', NULL );
setcookie( 'imp_key', NULL );
setcookie( 'PHPSESSID', NULL );
}
}
exit;
which doesn't work.... I tried adding a
header( 'Location: /' );
inside the control structure, which also didn't work.
I also tried replacing the setcookie stuff with Horde::getCleanSession,
which really didn't work. In most cases, I get neat urls like..
https://test-mail.www.umich.edu/horde/login.php?url=%2Fhorde%2Flogin.php%3Furl%3D%252Fhorde%252Flogin.php%253Furl%253D%25252Fhorde%25252Flogin.php%25253Furl%25253D%2525252Fhorde%2525252Flogin.php%2525253Furl%2525253D%252525252Fhorde%252525252Flogin.php%252525253Furl%252525253D%25252525252Fhorde%25252525252Flogin.php%25252525253Furl%25252525253D%2525252525252Fhorde%2525252525252Flogin.php%2525252525253Furl%2525252525253D%252525252525252Fhorde%252525252525252Flogin.php%252525252525253Furl%252525252525253D%25252525252525252Fhorde%25252525252525252Flogin.php%25252525252525253Furl%25252525252525253D%2525252525252525252Fhorde%2525252525252525252Flogin.php%2525252525252525253Furl%2525252525252525253D%252525252525252525252Fhorde%252525252525252525252Flogin.php%252525252525252525253Furl%252525252525252525253D%25252525252525252525252Fhorde%25252525252525252525252Flogin.php%25252525252525252525253Furl%25252525252525252525253D%2525252525252525252525252Fhorde%2525252525252525252525252Flo!
gin.php%2525252525252525252525253Furl%2525252525252525252525253D%252525252525252525252525252Fhorde%252525252525252525252525252Flogin.php%252525252525252525252525253Furl%252525252525252525252525253D%25252525252525252525252525252Fhorde%25252525252525252525252525252Flogin.php%25252525252525252525252525253Furl%25252525252525252525252525253D%2525252525252525252525252525252Fhorde%2525252525252525252525252525252Flogin.php%2525252525252525252525252525253Furl%2525252525252525252525252525253D%252525252525252525252525252525252Fhorde%252525252525252525252525252525252Fimp%252525252525252525252525252525252Findex.php
I've tried adding it to the templates/common-header.inc, still no go.
I can see it being an issue for any horde installation that uses SSO
and doesn't require people to logout through horde to actually log out
of the SSO.
this is a huge problem for us and I could really use some suggestions.
thanks!
liam
-------------- next part --------------
<?php
/**
* The Auth_cosign class transparently logs users in to Horde using
* $_SERVER[ 'REMOTE_USER' ], which is automatically set by mod_cosign.
*
* Optional parameters:
* ====================
* 'requestuser' -- If true, allow username to be passed by GET, POST
* or cookie.
*
*
* $Horde: framework/Auth/Auth/cosign.php,v 1.1 2004/11/22 11:29:11 liamr Exp $
*
* Copyright 2004 Liam Hoekenga <liamr at umich.edu>
*
* See the enclosed file COPYING for license information (LGPL). If you
* did not receive this file, see http://www.fsf.org/copyleft/lgpl.html.
*
* @author Liam Hoekenga <liamr at umiche.du>
* @version $Revision: 1.4 $
* @since Horde 3.0
* @package Horde_Auth
*/
class Auth_cosign extends Auth {
/**
* An array of capabilities, so that the driver can report which
* operations it supports and which it doesn't.
*
* @var array $capabilities
*/
var $capabilities = array('add' => false,
'update' => false,
'resetpassword' => false,
'remove' => false,
'list' => false,
'transparent' => true);
/**
* Constructs a new Automatic authentication object.
*
* @access public
*
* @param optional array $params A hash containing parameters.
*/
function Auth_cosign($params = array())
{
$this->_setParams($params);
}
/**
* Set parameters for the Auth_cosign object.
*
* @access private
*
* @param array $params Parameters. None currently required,
* 'username' is optional.
*/
function _setParams($params)
{
if (!isset($params['username'])) {
if ( !isset( $_SERVER['REMOTE_USER'] )) {
$params['username'] = 'GuestUser';
} else {
$params['username'] = $_SERVER['REMOTE_USER'];
}
}
$this->_params = $params;
}
/**
* Automatic authentication: Set the user
* allowed IP block.
*
* @access public
*
* @return boolean Whether or not the client is allowed.
*/
function transparent()
{
$username = (!empty($this->_params['requestuser']) && isset($_REQUEST['username'])) ?
$_REQUEST['username'] :
$this->_params['username'];
$this->setAuth($username,
array('password' => $username,
'transparent' => 1));
return true;
}
}
More information about the horde
mailing list