Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

krb_authenticate: logout/session expiry shows login screen #6309

Open
vuori opened this issue May 27, 2018 · 1 comment
Open

krb_authenticate: logout/session expiry shows login screen #6309

vuori opened this issue May 27, 2018 · 1 comment
Labels
bug C: Plugins
Milestone
later

Comments

@vuori
Copy link

vuori commented May 27, 2018

When using the krb_authenticate plugin and the user either clicks "logout" or their Roundcube session expires, they are shown the login screen. Apparently the old session hasn't been cleaned up yet when the plugin's startup hook is called?

I don't think there is a case when showing the login screen to a GSSAPI/Kerberos user is useful, since the user is effectively permanently "logged in" with HTTP authentication. I'm currently using the following hack as a workaround (basically, redirect back to the current page to make krb_authenticate notice that the session is gone), but is there a cleaner way to do this?

--- roundcubemail-1.3.6/plugins/krb_authentication/krb_authentication.php       2018-04-11 14:13:46.000000000 +0300
+++ krb_authentication.php      2018-05-27 16:26:03.938956008 +0300
@@ -24,6 +24,7 @@
         $this->add_hook('authenticate', array($this, 'authenticate'));
         $this->add_hook('login_after', array($this, 'login'));
         $this->add_hook('storage_connect', array($this, 'storage_connect'));
+        $this->add_hook('logout_after', array($this, 'logout_after'));
     }

     /**
@@ -104,6 +105,21 @@
             exit;
         }

+        return $args;
+    }
+
+    /**
+     * logout_after hook handler
+     * If the user seems to have valid Kerberos credentials, redirect
+     * to current page to invoke the startup hook.
+     */
+    function logout_after($args)
+    {
+        if (!empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
+            header('Location: ./');
+            exit;
+        }
+
         return $args;
     }
 }
@alecpl alecpl added this to the later milestone May 29, 2018
@alecpl
Copy link
Member

alecpl commented Jul 17, 2021

This is the same for every HTTP authentication plugin. So, there are topics to consider and eventually implement in all of them.

  1. Should login via logon form be possible at all (maybe as an option)?
  2. Should we remove possibility to log out (hide the Logout button)?
  3. Should we redirect to a (configured) external page on logout/session expired?
  4. Should we on logout/session expired just display a simple page explaining what happened and something like "Please, refresh the page now".
  5. Should we force a http password prompt (with 401 code) if user is not yet http-authenticated?

We can't really prevent a session from expiring, and automatically refreshing the page and/or re-creating the session is not a viable solution, imo. And I understand that different people may have a different answer to the questions above. This is not making this easy.

Similar to this are single-sign-on plugins, so it might be good to investigate what e.g. OpenID/OAuth2 standards recommend for these topics.

Related: #5067, #6701.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug C: Plugins
Projects
None yet
Milestone
later
Development

No branches or pull requests
2 participants
@alecpl @vuori