[imp] Creating an SSL-based authentication mechanism in
avirtualhost environtment
Issac Goldstand
margol at beamartyr.net
Wed Oct 29 05:12:23 PST 2003
OK. I've gotten the redirects and login working, but it's still acting a
bit strange. I'm sure someone who understands the IMP authentication engine
a bit better than myself will probably know what I'm still doing wrong...
Anyways, I'm now passing the original server and the auto-detected
virtualdomain to the secured server which runs redirect.php and bounces back
to the original server.
I use Horde::url($url,0,1) frequently to assure that I have a session-ified
URL at all times during the redirect process (So that I don't end up
authenticating and losing my session).
However, something strange happens: the login screen says Welcom
user at virtualdomain.com but then prompts login to mail and imapd gives login
failed messages. It seems that inside redirect.php, it correctly processes
the login credentials, but then the rest of the application mangles the
credentials.
Also, if I hit the logout button, I get the "You have been logged out
screen", but the session persists: if I hit reload, I'll get the "Welcome"
screen with the "Log in to mail" again.
I'm really not sure how the sessions work internally and reading the source
is starting to become more confusing than helpful. Could someone who knows
the API *please* help?
Thanks!
Issac
----- Original Message -----
From: "Jan Schneider" <jan at horde.org>
To: <imp at lists.horde.org>
Sent: Thursday, October 23, 2003 5:41 PM
Subject: Re: [imp] Creating an SSL-based authentication mechanism in
avirtualhost environtment
> Zitat von Issac Goldstand <margol at beamartyr.net>:
>
> > Hi,
> > I'm trying to make a very dynamic Horde/IMP setup where I use a single
> > IP
> > to mass-virtualhost multiple domains (like webmail.domain1.com,
> > webmail.domain2.com, etc) all from one Horde installation. I've
> > successfully gotten the dynamics of that to work (by using the neat
> > imp_get__vinfo function in servers.php - which isn't completely secure,
> > as
> > anyone can just send to the IP address with a forged Host: header,
> > although
> > I hope to plug that hole by doing a DNS lookup to verify that the Host:
> > header resolves to the correct IP address from the server, but that's
> > getting a bit off topic). Anyway, now I'm trying to patch the login
> > pages
> > so that it works like this:
> >
> > http://webmail.domain.com/imp/login.php
> > |
> > \ /
> >
https://secure.mydomain.com/horde/imp/redirect.php?session+other+junk+here
> > |
> > \ /
> > http://webmail.domain.com/imp/mailbox.php (or whatever URL it ought to
go
> > to)
> >
> > The easy part was patching the templates/login/login.inc file as such:
> >
> > <form action="<?php echo
> >
>
preg_replace('^/imp/^','',Horde::applicationUrl('https://secure.xxx.com/hord
> > e/imp/redirect.php',0,1),1) ?>" method="post" name="implogin">
> >
> > So that's step one. Step two is proccessing the redirect, which is a
bit
> > trickier because there are a LOT more places to intercept. The general
> > idea
> > I had was to process the HTTP_REFERER environment variable at the VERY
> > beginning as so:
> >
> > $refserver=preg_replace('^imp/.*^','',getenv('HTTP_REFERER'));
> >
> > and then, every time we spit out a URL, modify it something like:
> > preg_replace('^https?://.+?/^',$refserver,Horde::applicationUrl($url,
> > true),1);
> > (the s? being just in case there's ever a customer who wants to pay for
> > his
> > own SSL-enabled webmail.)
> > [NOTE: for this to work, enable_ssl in horde.php MUST be set to 0, and
> > that
> > might just mess up the HTTPS logic I just went out of my way to create,
> > but
> > let's take this one step at a time]
>
> Not sure if this will work, because the referer might not be passed by the
> browser. I'd instead send the original domain as a parameter (better:
> hidden input field) to redirect.php. There you can store that domain in
the
> session and you'll have it available until the user logs out.
>
> > But I'm getting some very tricky errors, like:
> > [client xxx.xxx.xxx.xxx] PHP Notice: (null)(): No such host as
> > mail.secure.mydomain.com (errflg=2) in Unknown on line 0, referer:
> >
>
http://webmail.domain1.com/imp/login.php?url=http%3A%2F%2Fwebmail.domain1.com%2Flogin.php
> >
> > Now how the heck am I supposed to even *start* tracing that?!?
>
> That's IMP trying to contact your IMAP server. I guess you also do some
> fancy redirecting to the correct IMAP server, there is probably an error
> buried.
>
> Jan.
>
> --
> http://www.horde.org - The Horde Project
> http://www.ammma.de - discover your knowledge
> http://www.tip4all.de - Deine private Tippgemeinschaft
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
More information about the imp
mailing list