[imp] Connecting from portal

Wed Sep 18 14:39:01 UTC 2013

Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Maxime Pelletier <maxime.pelletier at educsa.org>:
>
>> Michael J Rubinsky <mrubinsk <at> horde.org> writes:
>>
>>>>
>>>> Hi Jan,
>>>>
>>>> Thanks a lot for taking the time to answer my question.
>>>>
>>>> However, I would appreciate if you could give me a little bit more details
>>>> about that, or point me to some documentation.
>>>>
>>>> I couldn't locate the validateAuth() method. I'm not even sure if this is
>>>> supposed to be at Horde or IMP level. We configured our server so that IMP
>>>> provides authentication.
>>>
>>> It's a method exposed by the authentication object. See Horde_Auth::
>>>
>>>> Also, what is the right way to validate that a user is already logged in?
>>>
>>> Horde_Auth::validateAuth()
>>>
>>>> And what is the right way to log out a user?
>>>
>>> Horde_Registry::clearAuth()
>>>
>>> Jan had written a very comprehensive post regarding how authentication
>>> works in Horde (Hint: it's fairly complicated). IIRC, it was written
>>> for Horde 4, but the concepts are still mostly valid in Horde 5. See
>>> http://janschneider.de/news/5/342
>>
>> Hi Michael,
>>
>> Thanks for your reply. I didn't remember those articles written by Jan. It
>> helped me understand better the login process.
>>
>> However, I wanted to take a different approach which is a lot simpler. I
>> added this preauthentication hook for Horde:
>> =============
>>    public function preauthenticate($userId, $credentials)
>>    {
>>        if ( $GLOBALS['registry']->isAuthenticated() &&
>> $GLOBALS['registry']->getAuth() != $userId ) {
>>              return false;
>>        }
>>        return true;
>>    }
>> =============
>>
>> So if someone is already logged in, and that the userId of the current
>> connection is not the same as the one already logged in, then it fails.
>>
>> It somehow works because I get this error message in the logs when I try to
>> login to Horde with a user different from the one already connected:
>> =============
>> HORDE: [horde] FAILED LOGIN for secondUser [11.21.111.11] to Horde [pid
>> 21316 on line 231 of "/var/www/html/horde/login.php"]
>> =============
>>
>> Unfortunately, it doesn't log out the user currently logged in so Horde is
>> opened with the account of the first user.
>>
>> In short, shouldn't we expect that if preauthenticate() fails, then any
>> session opened would be cleared out?
>
> No, because it's a *pre* authenticate hook, which is designed to  
> only alter the login credentials before authentication occurs. It's  
> not designed to log out an already authenticated session. This is  
> exactly what the above mentioned validateAuth method is for - to  
> validate that the current session is still valid using whatever  
> method makes sense for the authentication backend.
>
> If you want to continue with this strategy instead of the more  
> correct way of writing an authentication driver for your setup, you  
> could try to manually clear the session using  
> Horde_Registry::clearAuth() from within the hook.

You *really* need to be implementing a custom authentication driver  
for this setup.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]