[horde] Session expiration when IP is changing

Mon Jan 13 19:33:51 UTC 2014

Quoting Anton Köstlbacher <horde3 at dingsbums.org>:

> Am 29.10.2013 21:50, schrieb Michael M Slusarz:
>> Quoting Michael M Slusarz <slusarz at horde.org>:
>>
>>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>>
>>>> Hi,
>>>>
>>>> the behaviour when my dynamic IP address changes at midnight has
>>>> changed. I'm using Horde Groupware 5.1.2.
>>>>
>>>> I always had $conf[auth][checkip] enabled and it did log me out
>>>> correctly. Now AJAX requests are still executed (like refreshing the
>>>> mailbox pane), even after my IP changed. Horde only logs me out, when
>>>> I click on a link which reloads the page completly.
>>>>
>>>> Can anyone confirm this?
>>>
>>> Yes.  This commit broke all permission/authentication valid checks for
>>> AJAX (by broke I mean these no longer are done on an AJAX request):
>>>
>>> commit 9664382ee6550dd91db57c713de1b85bde630576
>>> Author: Ralf Lang <lang at b1-systems.de>
>>> Date:   Fri Aug 16 06:46:26 2013 +0200
>>>
>>>    fix broken unauthenticated calls for $_external handler methods
>>>    For all other handler methods, ajax.php does checking for the
>>> session key later on
>>>
>>> diff --git a/horde/services/ajax.php b/horde/services/ajax.php
>>> index 601fb9a..c8070ce 100644
>>> --- a/horde/services/ajax.php
>>> +++ b/horde/services/ajax.php
>>> @@ -30,7 +30,7 @@ if (empty($action)) {
>>> }
>>>
>>> try {
>>> -    Horde_Registry::appInit($app);
>>> +    Horde_Registry::appInit($app, array('authentication' => 'none'));
>>> } catch (Horde_Exception_AuthenticationFailure $e) {
>>>     $response = new
>>> Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
>>>     $response->sendAndExit();
>>>
>>>
>>> There's a chicken/egg problem here, since we can't check whether the
>>> given AJAX action is an allowable non-authenticated action or not
>>> until Horde is initialized.
>>>
>>> I notice that RPC calls (rpc.php) uses a technique whereby they switch
>>> authentication state halfway through the script.  But that is VERY
>>> undesirable, since it requires the entire registry cache to be
>>> reinitialized (including autoloading), which is a heavy load for AJAX
>>> request - since most WILL require authentication.
>>>
>>> So we need a different solution.  I'm thinking we try to initialize
>>> the app with authentication.  If that fails, we fall back to a
>>> non-authenticated access.  Later, the latter will only allow calls to
>>> externally-defined AJAX requests or else it will error out.
>>
>> This is fixed with Horde 5.1.6/Horde_Core 2.11.0
>>
>> michael
>>
>> ___________________________________
>> Michael Slusarz [slusarz at horde.org]
>>
>
> Hi Michael,
>
> the problem still exists with Horde 5.1.5/Horde_Core 2.11.1. I would  
> consider this a quite severe security issue. What is your schedule  
> for the fix? Thanks in advance!

Works fine here.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]