[imp] Connecting from portal

Maxime Pelletier maxime.pelletier at educsa.org
Wed Sep 18 14:04:48 UTC 2013


Michael J Rubinsky <mrubinsk <at> horde.org> writes:

> >
> > Hi Jan,
> >
> > Thanks a lot for taking the time to answer my question.
> >
> > However, I would appreciate if you could give me a little bit more details
> > about that, or point me to some documentation.
> >
> > I couldn't locate the validateAuth() method. I'm not even sure if this is
> > supposed to be at Horde or IMP level. We configured our server so that IMP
> > provides authentication.
> 
> It's a method exposed by the authentication object. See Horde_Auth::
> 
> > Also, what is the right way to validate that a user is already logged in?
> 
> Horde_Auth::validateAuth()
> 
> > And what is the right way to log out a user?
> 
> Horde_Registry::clearAuth()
> 
> Jan had written a very comprehensive post regarding how authentication  
> works in Horde (Hint: it's fairly complicated). IIRC, it was written  
> for Horde 4, but the concepts are still mostly valid in Horde 5. See  
> http://janschneider.de/news/5/342

Hi Michael,

Thanks for your reply. I didn't remember those articles written by Jan. It
helped me understand better the login process. 

However, I wanted to take a different approach which is a lot simpler. I
added this preauthentication hook for Horde:
=============
    public function preauthenticate($userId, $credentials)
    {
        if ( $GLOBALS['registry']->isAuthenticated() &&
$GLOBALS['registry']->getAuth() != $userId ) {
              return false;
        }
        return true;
    }
=============

So if someone is already logged in, and that the userId of the current
connection is not the same as the one already logged in, then it fails.

It somehow works because I get this error message in the logs when I try to
login to Horde with a user different from the one already connected:
=============
HORDE: [horde] FAILED LOGIN for secondUser [11.21.111.11] to Horde [pid
21316 on line 231 of "/var/www/html/horde/login.php"]
=============

Unfortunately, it doesn't log out the user currently logged in so Horde is
opened with the account of the first user.

In short, shouldn't we expect that if preauthenticate() fails, then any
session opened would be cleared out?

I hope I'm clear :)

Thanks in advance for you help.

Maxime



More information about the imp mailing list