[horde] Session expiration when IP is changing

Michael M Slusarz slusarz at horde.org
Tue Oct 29 19:55:33 UTC 2013 

Quoting Anton Köstlbacher <horde3 at dingsbums.org>:

> Hi,
>
> the behaviour when my dynamic IP address changes at midnight has  
> changed. I'm using Horde Groupware 5.1.2.
>
> I always had $conf[auth][checkip] enabled and it did log me out  
> correctly. Now AJAX requests are still executed (like refreshing the  
> mailbox pane), even after my IP changed. Horde only logs me out,  
> when I click on a link which reloads the page completly.
>
> Can anyone confirm this?

Yes.  This commit broke all permission/authentication valid checks for  
AJAX (by broke I mean these no longer are done on an AJAX request):

commit 9664382ee6550dd91db57c713de1b85bde630576
Author: Ralf Lang <lang at b1-systems.de>
Date:   Fri Aug 16 06:46:26 2013 +0200

     fix broken unauthenticated calls for $_external handler methods
     For all other handler methods, ajax.php does checking for the  
session key later on

diff --git a/horde/services/ajax.php b/horde/services/ajax.php
index 601fb9a..c8070ce 100644
--- a/horde/services/ajax.php
+++ b/horde/services/ajax.php
@@ -30,7 +30,7 @@ if (empty($action)) {
  }

  try {
-    Horde_Registry::appInit($app);
+    Horde_Registry::appInit($app, array('authentication' => 'none'));
  } catch (Horde_Exception_AuthenticationFailure $e) {
      $response = new Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
      $response->sendAndExit();


There's a chicken/egg problem here, since we can't check whether the  
given AJAX action is an allowable non-authenticated action or not  
until Horde is initialized.

I notice that RPC calls (rpc.php) uses a technique whereby they switch  
authentication state halfway through the script.  But that is VERY  
undesirable, since it requires the entire registry cache to be  
reinitialized (including autoloading), which is a heavy load for AJAX  
request - since most WILL require authentication.

So we need a different solution.  I'm thinking we try to initialize  
the app with authentication.  If that fails, we fall back to a  
non-authenticated access.  Later, the latter will only allow calls to  
externally-defined AJAX requests or else it will error out.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the horde mailing list