[horde] Session expiration when IP is changing

Michael J Rubinsky mrubinsk at horde.org
Wed Jan 15 15:24:04 UTC 2014


Quoting Anton Köstlbacher <horde3 at dingsbums.org>:

> Am 13.01.2014 20:33, schrieb Michael M Slusarz:
>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>
>>> Am 29.10.2013 21:50, schrieb Michael M Slusarz:
>>>> Quoting Michael M Slusarz <slusarz at horde.org>:
>>>>
>>>>> Quoting Anton Köstlbacher <horde3 at dingsbums.org>:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> the behaviour when my dynamic IP address changes at midnight has
>>>>>> changed. I'm using Horde Groupware 5.1.2.
>>>>>>
>>>>>> I always had $conf[auth][checkip] enabled and it did log me out
>>>>>> correctly. Now AJAX requests are still executed (like refreshing the
>>>>>> mailbox pane), even after my IP changed. Horde only logs me out, when
>>>>>> I click on a link which reloads the page completly.
>>>>>>
>>>>>> Can anyone confirm this?
>>>>>
>>>>> Yes.  This commit broke all permission/authentication valid checks for
>>>>> AJAX (by broke I mean these no longer are done on an AJAX request):
>>>>>
>>>>> commit 9664382ee6550dd91db57c713de1b85bde630576
>>>>> Author: Ralf Lang <lang at b1-systems.de>
>>>>> Date:   Fri Aug 16 06:46:26 2013 +0200
>>>>>
>>>>>   fix broken unauthenticated calls for $_external handler methods
>>>>>   For all other handler methods, ajax.php does checking for the
>>>>> session key later on
>>>>>
>>>>> diff --git a/horde/services/ajax.php b/horde/services/ajax.php
>>>>> index 601fb9a..c8070ce 100644
>>>>> --- a/horde/services/ajax.php
>>>>> +++ b/horde/services/ajax.php
>>>>> @@ -30,7 +30,7 @@ if (empty($action)) {
>>>>> }
>>>>>
>>>>> try {
>>>>> -    Horde_Registry::appInit($app);
>>>>> +    Horde_Registry::appInit($app, array('authentication' => 'none'));
>>>>> } catch (Horde_Exception_AuthenticationFailure $e) {
>>>>>    $response = new
>>>>> Horde_Core_Ajax_Response_HordeCore_SessionTimeout($app);
>>>>>    $response->sendAndExit();
>>>>>
>>>>>
>>>>> There's a chicken/egg problem here, since we can't check whether the
>>>>> given AJAX action is an allowable non-authenticated action or not
>>>>> until Horde is initialized.
>>>>>
>>>>> I notice that RPC calls (rpc.php) uses a technique whereby they switch
>>>>> authentication state halfway through the script.  But that is VERY
>>>>> undesirable, since it requires the entire registry cache to be
>>>>> reinitialized (including autoloading), which is a heavy load for AJAX
>>>>> request - since most WILL require authentication.
>>>>>
>>>>> So we need a different solution.  I'm thinking we try to initialize
>>>>> the app with authentication.  If that fails, we fall back to a
>>>>> non-authenticated access.  Later, the latter will only allow calls to
>>>>> externally-defined AJAX requests or else it will error out.
>>>>
>>>> This is fixed with Horde 5.1.6/Horde_Core 2.11.0
>>>>
>>>> michael
>>>>
>>>> ___________________________________
>>>> Michael Slusarz [slusarz at horde.org]
>>>>
>>>
>>> Hi Michael,
>>>
>>> the problem still exists with Horde 5.1.5/Horde_Core 2.11.1. I would
>>> consider this a quite severe security issue. What is your schedule for
>>> the fix? Thanks in advance!
>>
>> Works fine here.
>>
>> michael
>>
>> ___________________________________
>> Michael Slusarz [slusarz at horde.org]
>>
>
> Hi Michael,
>
> for me AJAX requests still work although my IP has changed after  
> authentication. This shouldn't be the case with $conf[auth][checkip]  
> enabled. What could be wrong? Horde Webmail is up to date.

Can you provide an example as to which Ajax requests are still working?

-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20140115/126905da/attachment.bin>


More information about the horde mailing list