[horde] Session expiration when IP is changing

Michael M Slusarz slusarz at horde.org
Tue Oct 29 20:50:51 UTC 2013 

Quoting Michael M Slusarz <slusarz at horde.org>:

> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>
>> Hi,
>>
>> the behaviour when my dynamic IP address changes at midnight has  
>> changed. I'm using Horde Groupware 5.1.2.
>>
>> I always had $conf[auth][checkip] enabled and it did log me out  
>> correctly. Now AJAX requests are still executed (like refreshing  
>> the mailbox pane), even after my IP changed. Horde only logs me  
>> out, when I click on a link which reloads the page completly.
>>
>> Can anyone confirm this?
>
> Yes.  This commit broke all permission/authentication valid checks  
> for AJAX (by broke I mean these no longer are done on an AJAX  
> request):
>
> commit 9664382ee6550dd91db57c713de1b85bde630576
> Author: Ralf Lang <lang at b1-systems.de>
> Date:   Fri Aug 16 06:46:26 2013 +0200
>
>     fix broken unauthenticated calls for $_external handler methods
>     For all other handler methods, ajax.php does checking for the  
> session key later on
>
> diff --git a/horde/services/ajax.php b/horde/services/ajax.php
> index 601fb9a..c8070ce 100644
> --- a/horde/services/ajax.php
> +++ b/horde/services/ajax.php
> @@ -30,7 +30,7 @@ if (empty($action)) {
>  }
>
>  try {
> -    Horde_Registry::appInit($app);
> +    Horde_Registry::appInit($app, array('authentication' => 'none'));
>  } catch (Horde_Exception_AuthenticationFailure $e) {
>      $response = new Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
>      $response->sendAndExit();
>
>
> There's a chicken/egg problem here, since we can't check whether the  
> given AJAX action is an allowable non-authenticated action or not  
> until Horde is initialized.
>
> I notice that RPC calls (rpc.php) uses a technique whereby they  
> switch authentication state halfway through the script.  But that is  
> VERY undesirable, since it requires the entire registry cache to be  
> reinitialized (including autoloading), which is a heavy load for  
> AJAX request - since most WILL require authentication.
>
> So we need a different solution.  I'm thinking we try to initialize  
> the app with authentication.  If that fails, we fall back to a  
> non-authenticated access.  Later, the latter will only allow calls  
> to externally-defined AJAX requests or else it will error out.

This is fixed with Horde 5.1.6/Horde_Core 2.11.0

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the horde mailing list