[horde] Session expiration when IP is changing

Anton Köstlbacher horde3 at dingsbums.org
Thu Jan 9 15:09:42 UTC 2014 

Am 29.10.2013 21:50, schrieb Michael M Slusarz:
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>
>>> Hi,
>>>
>>> the behaviour when my dynamic IP address changes at midnight has
>>> changed. I'm using Horde Groupware 5.1.2.
>>>
>>> I always had $conf[auth][checkip] enabled and it did log me out
>>> correctly. Now AJAX requests are still executed (like refreshing the
>>> mailbox pane), even after my IP changed. Horde only logs me out, when
>>> I click on a link which reloads the page completly.
>>>
>>> Can anyone confirm this?
>>
>> Yes.  This commit broke all permission/authentication valid checks for
>> AJAX (by broke I mean these no longer are done on an AJAX request):
>>
>> commit 9664382ee6550dd91db57c713de1b85bde630576
>> Author: Ralf Lang <lang at b1-systems.de>
>> Date:   Fri Aug 16 06:46:26 2013 +0200
>>
>>     fix broken unauthenticated calls for $_external handler methods
>>     For all other handler methods, ajax.php does checking for the
>> session key later on
>>
>> diff --git a/horde/services/ajax.php b/horde/services/ajax.php
>> index 601fb9a..c8070ce 100644
>> --- a/horde/services/ajax.php
>> +++ b/horde/services/ajax.php
>> @@ -30,7 +30,7 @@ if (empty($action)) {
>>  }
>>
>>  try {
>> -    Horde_Registry::appInit($app);
>> +    Horde_Registry::appInit($app, array('authentication' => 'none'));
>>  } catch (Horde_Exception_AuthenticationFailure $e) {
>>      $response = new
>> Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
>>      $response->sendAndExit();
>>
>>
>> There's a chicken/egg problem here, since we can't check whether the
>> given AJAX action is an allowable non-authenticated action or not
>> until Horde is initialized.
>>
>> I notice that RPC calls (rpc.php) uses a technique whereby they switch
>> authentication state halfway through the script.  But that is VERY
>> undesirable, since it requires the entire registry cache to be
>> reinitialized (including autoloading), which is a heavy load for AJAX
>> request - since most WILL require authentication.
>>
>> So we need a different solution.  I'm thinking we try to initialize
>> the app with authentication.  If that fails, we fall back to a
>> non-authenticated access.  Later, the latter will only allow calls to
>> externally-defined AJAX requests or else it will error out.
>
> This is fixed with Horde 5.1.6/Horde_Core 2.11.0
>
> michael
>
> ___________________________________
> Michael Slusarz [slusarz at horde.org]
>

Hi Michael,

the problem still exists with Horde 5.1.5/Horde_Core 2.11.1. I would 
consider this a quite severe security issue. What is your schedule for 
the fix? Thanks in advance!

Best Regards,
Anton

More information about the horde mailing list