[horde] problems w/ SSO logins joining a session already in progress
liamr@umich.edu
liamr at umich.edu
Wed Sep 20 11:32:37 PDT 2006
> First suggestion, least work for me: set the SSO to send people
> through Horde's logout page to make sure Horde sessions are cleared,
> or to just delete the session file when they log out of the sso.
>
> Second suggestion, requires Horde changes but possibly better long
> term anyway: add a hook that's called at the top of
> Auth::isAuthenticated() - essentially a user-defineable version of
> the existing browser string and IP checks.
>
> Maybe you can go with the former for a quick fix (if possible) and
> create an enhancement request for the second, if that sounds good to
> you?
The first isn't really going to work for us.. at least I don't think
campus would go for passing all SSO logouts through a service that some
people aren't using.
Here's the final version of our fix, which appears at the top of
templates/common-header.inc for each of our installed horde
applications:
if( ( isset( $_SESSION[ '__auth' ][ 'userId' ] ) && isset(
$_SERVER[ 'REMOTE_USER' ] ))
&& ( $_SESSION[ '__auth' ][ 'userId' ] != $_SERVER[
'REMOTE_USER' ] )) {
Horde::getCleanSession();
header( 'Location: https://' . $_SERVER[ 'SERVER_NAME' ] . '/' );
exit;
}
Would your proposed enhancement be able to handle changes to the SSO
user in the middle of the session? I see calls to
Auth::isAuthenticated in imp/templates/login/login.inc and then a bunch
of IMP libraries. If it's only at login, wouldn't we run into the same
issue?
Liam
More information about the horde
mailing list