[horde] Session expiration when IP is changing

Anton Köstlbacher horde3 at dingsbums.org
Wed Jan 15 13:24:39 UTC 2014 

Am 13.01.2014 20:33, schrieb Michael M Slusarz:
> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>
>> Am 29.10.2013 21:50, schrieb Michael M Slusarz:
>>> Quoting Michael M Slusarz <slusarz at horde.org>:
>>>
>>>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>>>
>>>>> Hi,
>>>>>
>>>>> the behaviour when my dynamic IP address changes at midnight has
>>>>> changed. I'm using Horde Groupware 5.1.2.
>>>>>
>>>>> I always had $conf[auth][checkip] enabled and it did log me out
>>>>> correctly. Now AJAX requests are still executed (like refreshing the
>>>>> mailbox pane), even after my IP changed. Horde only logs me out, when
>>>>> I click on a link which reloads the page completly.
>>>>>
>>>>> Can anyone confirm this?
>>>>
>>>> Yes.  This commit broke all permission/authentication valid checks for
>>>> AJAX (by broke I mean these no longer are done on an AJAX request):
>>>>
>>>> commit 9664382ee6550dd91db57c713de1b85bde630576
>>>> Author: Ralf Lang <lang at b1-systems.de>
>>>> Date:   Fri Aug 16 06:46:26 2013 +0200
>>>>
>>>>    fix broken unauthenticated calls for $_external handler methods
>>>>    For all other handler methods, ajax.php does checking for the
>>>> session key later on
>>>>
>>>> diff --git a/horde/services/ajax.php b/horde/services/ajax.php
>>>> index 601fb9a..c8070ce 100644
>>>> --- a/horde/services/ajax.php
>>>> +++ b/horde/services/ajax.php
>>>> @@ -30,7 +30,7 @@ if (empty($action)) {
>>>> }
>>>>
>>>> try {
>>>> -    Horde_Registry::appInit($app);
>>>> +    Horde_Registry::appInit($app, array('authentication' => 'none'));
>>>> } catch (Horde_Exception_AuthenticationFailure $e) {
>>>>     $response = new
>>>> Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
>>>>     $response->sendAndExit();
>>>>
>>>>
>>>> There's a chicken/egg problem here, since we can't check whether the
>>>> given AJAX action is an allowable non-authenticated action or not
>>>> until Horde is initialized.
>>>>
>>>> I notice that RPC calls (rpc.php) uses a technique whereby they switch
>>>> authentication state halfway through the script.  But that is VERY
>>>> undesirable, since it requires the entire registry cache to be
>>>> reinitialized (including autoloading), which is a heavy load for AJAX
>>>> request - since most WILL require authentication.
>>>>
>>>> So we need a different solution.  I'm thinking we try to initialize
>>>> the app with authentication.  If that fails, we fall back to a
>>>> non-authenticated access.  Later, the latter will only allow calls to
>>>> externally-defined AJAX requests or else it will error out.
>>>
>>> This is fixed with Horde 5.1.6/Horde_Core 2.11.0
>>>
>>> michael
>>>
>>> ___________________________________
>>> Michael Slusarz [slusarz at horde.org]
>>>
>>
>> Hi Michael,
>>
>> the problem still exists with Horde 5.1.5/Horde_Core 2.11.1. I would
>> consider this a quite severe security issue. What is your schedule for
>> the fix? Thanks in advance!
>
> Works fine here.
>
> michael
>
> ___________________________________
> Michael Slusarz [slusarz at horde.org]
>

Hi Michael,

for me AJAX requests still work although my IP has changed after 
authentication. This shouldn't be the case with $conf[auth][checkip] 
enabled. What could be wrong? Horde Webmail is up to date.

Best Regards,
Anton

More information about the horde mailing list