[horde] problems w/ SSO logins joining a session already in progress

liamr@umich.edu liamr at umich.edu
Tue Sep 19 14:53:45 PDT 2006 

Ok, I think I figured it out.  I've added this to the top of each 
applications' templates/common-header.inc:

if( isset( $_SESSION[ '__auth' ][ 'userId' ] )
        && ( $_SESSION[ '__auth' ][ 'userId' ] != $_SERVER[ 
'REMOTE_USER' ] )) {
    Horde::getCleanSession();
    header( 'Location: https://' . $_SERVER[ 'SERVER_NAME' ] . '/' );
    exit;
}

I'm not sure if this is the best place for it, and I'd love a solution 
that could be given back to horde rather than having to be maintained 
as a local patch... but hey, it works for now.

Liam

Quoting liamr at umich.edu:

> We've recently discovered a problem in our installation.
>
>
> userA  go to webmail
>        click on the Login button
>        enter uniqname/password in the weblogin screen
>        view mail
>        go to directory.umich.edu or some other cosign site and log out
>        leave the PC and do not close the browser
>
> userB  using the same PC as userA
>        go to webmail
>        click on the Login button
>        enter uniqname/password in the weblogin screen
>        view userA's mail
>
> If the user doesn't log out using the logout link inside of Horde / 
> IMP, none of the horde cookies are removed.  Since all of the Horde 
> and IMP cookies are still set to valid values, userB isn't sent 
> through the normal horde login stuff, and basically picks up userA's 
> session already in progress.
>
> Our SSO sets $_SERVER['REMOTE_USER'] to the name of the person logged 
> in.  I've attached the Horde authentication script we're using.  It's 
> based on the "auto" authenticator.  What we're running into is a 
> situation where $_SESSION['__auth']['userId'] != 
> $_SERVER['REMOTE_USER'].
>
> I'm trying to figure out how and where to fix this.
>
> I tried adding an auto prepend that does...
>
>  include( "/usr/local/webmail/html-ssl/horde/lib/base.php" );        
> if( isset( $_SESSION[ '__auth' ][ 'userId' ] )) {        if( 
> $_SESSION[ '__auth' ][ 'userId' ] != $_SERVER[ 'REMOTE_USER' ] ){     
>         print( 'We have a problem.<hr>' );
>            setcookie( 'Horde', NULL );
>            setcookie( 'auth_key', NULL );
>            setcookie( 'imp_key', NULL );
>            setcookie( 'PHPSESSID', NULL );
>        }
>    }
>  exit;
>
> which doesn't work.... I tried adding a
>
>  header( 'Location: /' );
>
> inside the control structure, which also didn't work.
>
> I also tried replacing the setcookie stuff with 
> Horde::getCleanSession, which really didn't work.  In most cases, I 
> get neat urls like..
>
> https://test-mail.www.umich.edu/horde/login.php?url=%2Fhorde%2Flogin.php%3Furl%3D%252Fhorde%252Flogin.php%253Furl%253D%25252Fhorde%25252Flogin.php%25253Furl%25253D%2525252Fhorde%2525252Flogin.php%2525253Furl%2525253D%252525252Fhorde%252525252Flogin.php%252525253Furl%252525253D%25252525252Fhorde%25252525252Flogin.php%25252525253Furl%25252525253D%2525252525252Fhorde%2525252525252Flogin.php%2525252525253Furl%2525252525253D%252525252525252Fhorde%252525252525252Flogin.php%252525252525253Furl%252525252525253D%25252525252525252Fhorde%25252525252525252Flogin.php%25252525252525253Furl%25252525252525253D%2525252525252525252Fhorde%2525252525252525252Flogin.php%2525252525252525253Furl%2525252525252525253D%252525252525252525252Fhorde%252525252525252525252Flogin.php%252525252525252525253Furl%252525252525252525253D%25252525252525252525252Fhorde%25252525252525252525252Flogin.php%25252525252525252525253Furl%25252525252525252525253D%2525252525252525252525252Fhorde%2525252525252525252525252F!
 lo!
> gin.php%2525252525252525252525253Furl%2525252525252525252525253D%252525252525252525252525252Fhorde%252525252525252525252525252Flogin.php%252525252525252525252525253Furl%252525252525252525252525253D%25252525252525252525252525252Fhorde%25252525252525252525252525252Flogin.php%25252525252525252525252525253Furl%25252525252525252525252525253D%2525252525252525252525252525252Fhorde%2525252525252525252525252525252Flogin.php%2525252525252525252525252525253Furl%2525252525252525252525252525253D%252525252525252525252525252525252Fhorde%252525252525252525252525252525252Fimp%252525252525252525252525252525252Findex.php
>
> I've tried adding it to the templates/common-header.inc, still no go.
>
> I can see it being an issue for any horde installation that uses SSO 
> and doesn't require people to logout through horde to actually log 
> out of the SSO.
>
> this is a huge problem for us and I could really use some suggestions.
>
> thanks!
>
> liam
>
>
> !DSPAM:45105461259401818534562!
>



liam

More information about the horde mailing list