[imp] Connecting from portal

[Michael J Rubinsky]

Quoting Maxime Pelletier <maxime.pelletier at educsa.org>:

> Michael J Rubinsky <mrubinsk <at> horde.org> writes:
>
>> >
>> > Hi Jan,
>> >
>> > Thanks a lot for taking the time to answer my question.
>> >
>> > However, I would appreciate if you could give me a little bit more details
>> > about that, or point me to some documentation.
>> >
>> > I couldn't locate the validateAuth() method. I'm not even sure if this is
>> > supposed to be at Horde or IMP level. We configured our server so that IMP
>> > provides authentication.
>>
>> It's a method exposed by the authentication object. See Horde_Auth::
>>
>> > Also, what is the right way to validate that a user is already logged in?
>>
>> Horde_Auth::validateAuth()
>>
>> > And what is the right way to log out a user?
>>
>> Horde_Registry::clearAuth()
>>
>> Jan had written a very comprehensive post regarding how authentication
>> works in Horde (Hint: it's fairly complicated). IIRC, it was written
>> for Horde 4, but the concepts are still mostly valid in Horde 5. See
>> http://janschneider.de/news/5/342
>
> Hi Michael,
>
> Thanks for your reply. I didn't remember those articles written by Jan. It
> helped me understand better the login process.
>
> However, I wanted to take a different approach which is a lot simpler. I
> added this preauthentication hook for Horde:
> =============
>     public function preauthenticate($userId, $credentials)
>     {
>         if ( $GLOBALS['registry']->isAuthenticated() &&
> $GLOBALS['registry']->getAuth() != $userId ) {
>               return false;
>         }
>         return true;
>     }
> =============
>
> So if someone is already logged in, and that the userId of the current
> connection is not the same as the one already logged in, then it fails.
>
> It somehow works because I get this error message in the logs when I try to
> login to Horde with a user different from the one already connected:
> =============
> HORDE: [horde] FAILED LOGIN for secondUser [11.21.111.11] to Horde [pid
> 21316 on line 231 of "/var/www/html/horde/login.php"]
> =============
>
> Unfortunately, it doesn't log out the user currently logged in so Horde is
> opened with the account of the first user.
>
> In short, shouldn't we expect that if preauthenticate() fails, then any
> session opened would be cleared out?

No, because it's a *pre* authenticate hook, which is designed to only  
alter the login credentials before authentication occurs. It's not  
designed to log out an already authenticated session. This is exactly  
what the above mentioned validateAuth method is for - to validate that  
the current session is still valid using whatever method makes sense  
for the authentication backend.

If you want to continue with this strategy instead of the more correct  
way of writing an authentication driver for your setup, you could try  
to manually clear the session using Horde_Registry::clearAuth() from  
within the hook. No idea off hand if this will work from the hook, or  
have unintended side effects though.


-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/imp/attachments/20130918/9dd96819/attachment.bin>