HTTP BASIC AUTH + CSRF protection => failed XHR requests #4574
Comments
|
Thanks a lot for digging into this. Thx |
|
Im not really familiar with git. How should i do that ? First clone Stephane On Mon, Aug 26, 2013 at 8:08 AM, Thomas Müller notifications@github.comwrote:
|
|
Did it. Thanks, On Mon, Aug 26, 2013 at 3:13 PM, stephane martin stef.martin@gmail.comwrote:
|
|
Thanks. Could you send us a contributor agreement or make you change available under the MIT license? https://owncloud.org/about/contributor-agreement/ |
|
Just to be sure, a noob question : do i have to do something else so that my patch is included in owncloud ? Thanks! |
|
@houbaastef I just reverted this pull request - you require two 👍 from two different reviewers. http://owncloud.org/code-reviews-on-github/ I'm sorry for this move but we all have to follow these rules. Please don't take any offense from this action and I kindly ask you to resubmit your pull request - THX |
|
Any update on this ? Does it still happen in 6.0.2 ? @houbaastef can you resubmit your PR as requested ? |
|
@josh4trunks does this relate in any way to #7852 ? |
|
Look s like this one, #7852 and #8021 are trying to accomplish the same goal using different means. |
I would test #8021 but I have a feeling it wont work in case 2 and 3 above. |
|
Exact. Regards,
|
|
I believe this can be closed, #7852 addressed this issue, along with a few other cases. |
|
Ok, closing. @houbaastef if you think that something has been missed, feel free to reopen. |
Hi, i just spent my night tracking down this one...
Owncloud : 5.0.10
HTTP Basic authentication (with Apache 2.4, and LDAP as backend)
Browser : not important
OS : not important
Symptoms : when i try to upload file with web interface in "File app", or when i try to submit a new bookmark in "bookmark app", action fails with this message : "session has expired, reload the page".
I figured out that a new session is regenerated each time i request a page in owncloud, with a different session id. Thus requesttoken is not maintained through different requests.
After a few hours of digging, i figured that OC::tryBasicAuthLogin calls OC_User::isLoggedIn. And OC_User calls session_regenerate_id...
This behaviour is OK for usual form login : we want session to be reinitialized after form login. But NOT with HTTP basic auth !
Fix is quite trivial when you know the problem: just add two lines to tryBasicAuthLogin in lib/base.php
protected static function tryBasicAuthLogin() {
if (!isset($_SERVER["PHP_AUTH_USER"])
|| !isset($_SERVER["PHP_AUTH_PW"])
) {
return false;
}
OC_App::loadApps(array('authentication'));
if (!OC_User::isLoggedIn()) { <----- HERE !!!!
if (OC_User::login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])) {
//OC_Log::write('core',"Logged in with HTTP Authentication", OC_Log::DEBUG);
OC_User::unsetMagicInCookie();
$_SERVER['HTTP_REQUESTTOKEN'] = OC_Util::callRegister();
}
}
return true;
}
Regards,
Stephane
The text was updated successfully, but these errors were encountered: