New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP BASIC AUTH + CSRF protection => failed XHR requests #4574
Comments
Thanks a lot for digging into this. Thx |
Im not really familiar with git. How should i do that ? First clone Stephane On Mon, Aug 26, 2013 at 8:08 AM, Thomas Müller notifications@github.comwrote:
|
Did it. Thanks, On Mon, Aug 26, 2013 at 3:13 PM, stephane martin stef.martin@gmail.comwrote:
|
Thanks. Could you send us a contributor agreement or make you change available under the MIT license? https://owncloud.org/about/contributor-agreement/ |
Just to be sure, a noob question : do i have to do something else so that my patch is included in owncloud ? Thanks! |
@houbaastef I just reverted this pull request - you require two 👍 from two different reviewers. http://owncloud.org/code-reviews-on-github/ I'm sorry for this move but we all have to follow these rules. Please don't take any offense from this action and I kindly ask you to resubmit your pull request - THX |
Any update on this ? Does it still happen in 6.0.2 ? @houbaastef can you resubmit your PR as requested ? |
@josh4trunks does this relate in any way to #7852 ? |
Look s like this one, #7852 and #8021 are trying to accomplish the same goal using different means. |
I would test #8021 but I have a feeling it wont work in case 2 and 3 above. |
Exact. Regards,
|
I believe this can be closed, #7852 addressed this issue, along with a few other cases. |
Ok, closing. @houbaastef if you think that something has been missed, feel free to reopen. |
Hi, i just spent my night tracking down this one...
Owncloud : 5.0.10
HTTP Basic authentication (with Apache 2.4, and LDAP as backend)
Browser : not important
OS : not important
Symptoms : when i try to upload file with web interface in "File app", or when i try to submit a new bookmark in "bookmark app", action fails with this message : "session has expired, reload the page".
I figured out that a new session is regenerated each time i request a page in owncloud, with a different session id. Thus requesttoken is not maintained through different requests.
After a few hours of digging, i figured that OC::tryBasicAuthLogin calls OC_User::isLoggedIn. And OC_User calls session_regenerate_id...
This behaviour is OK for usual form login : we want session to be reinitialized after form login. But NOT with HTTP basic auth !
Fix is quite trivial when you know the problem: just add two lines to tryBasicAuthLogin in lib/base.php
protected static function tryBasicAuthLogin() {
if (!isset($_SERVER["PHP_AUTH_USER"])
|| !isset($_SERVER["PHP_AUTH_PW"])
) {
return false;
}
OC_App::loadApps(array('authentication'));
if (!OC_User::isLoggedIn()) { <----- HERE !!!!
if (OC_User::login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])) {
//OC_Log::write('core',"Logged in with HTTP Authentication", OC_Log::DEBUG);
OC_User::unsetMagicInCookie();
$_SERVER['HTTP_REQUESTTOKEN'] = OC_Util::callRegister();
}
}
return true;
}
Regards,
Stephane
The text was updated successfully, but these errors were encountered: