[horde] problems w/ SSO logins joining a session already in progress

[Chuck Hagenbuch]

Quoting liamr at umich.edu:

> If the user doesn't log out using the logout link inside of Horde /  
> IMP, none of the horde cookies are removed.  Since all of the Horde  
> and IMP cookies are still set to valid values, userB isn't sent  
> through the normal horde login stuff, and basically picks up userA's  
> session already in progress.

> I can see it being an issue for any horde installation that uses SSO  
> and doesn't require people to logout through horde to actually log  
> out of the SSO.
>
> this is a huge problem for us and I could really use some suggestions.

First suggestion, least work for me: set the SSO to send people  
through Horde's logout page to make sure Horde sessions are cleared,  
or to just delete the session file when they log out of the sso.

Second suggestion, requires Horde changes but possibly better long  
term anyway: add a hook that's called at the top of  
Auth::isAuthenticated() - essentially a user-defineable version of the  
existing browser string and IP checks.

Maybe you can go with the former for a quick fix (if possible) and  
create an enhancement request for the second, if that sounds good to  
you?

-chuck

-- 
"we are plastered to the windshield of the bus that is time." - Chris