You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the krb_authenticate plugin and the user either clicks "logout" or their Roundcube session expires, they are shown the login screen. Apparently the old session hasn't been cleaned up yet when the plugin's startup hook is called?
I don't think there is a case when showing the login screen to a GSSAPI/Kerberos user is useful, since the user is effectively permanently "logged in" with HTTP authentication. I'm currently using the following hack as a workaround (basically, redirect back to the current page to make krb_authenticate notice that the session is gone), but is there a cleaner way to do this?
--- roundcubemail-1.3.6/plugins/krb_authentication/krb_authentication.php 2018-04-11 14:13:46.000000000 +0300
+++ krb_authentication.php 2018-05-27 16:26:03.938956008 +0300
@@ -24,6 +24,7 @@
$this->add_hook('authenticate', array($this, 'authenticate'));
$this->add_hook('login_after', array($this, 'login'));
$this->add_hook('storage_connect', array($this, 'storage_connect'));
+ $this->add_hook('logout_after', array($this, 'logout_after'));
}
/**
@@ -104,6 +105,21 @@
exit;
}
+ return $args;
+ }
+
+ /**
+ * logout_after hook handler
+ * If the user seems to have valid Kerberos credentials, redirect
+ * to current page to invoke the startup hook.
+ */
+ function logout_after($args)
+ {
+ if (!empty($_SERVER['REMOTE_USER']) && !empty($_SERVER['KRB5CCNAME'])) {
+ header('Location: ./');
+ exit;
+ }
+
return $args;
}
}
The text was updated successfully, but these errors were encountered:
This is the same for every HTTP authentication plugin. So, there are topics to consider and eventually implement in all of them.
Should login via logon form be possible at all (maybe as an option)?
Should we remove possibility to log out (hide the Logout button)?
Should we redirect to a (configured) external page on logout/session expired?
Should we on logout/session expired just display a simple page explaining what happened and something like "Please, refresh the page now".
Should we force a http password prompt (with 401 code) if user is not yet http-authenticated?
We can't really prevent a session from expiring, and automatically refreshing the page and/or re-creating the session is not a viable solution, imo. And I understand that different people may have a different answer to the questions above. This is not making this easy.
Similar to this are single-sign-on plugins, so it might be good to investigate what e.g. OpenID/OAuth2 standards recommend for these topics.
When using the
krb_authenticate
plugin and the user either clicks "logout" or their Roundcube session expires, they are shown the login screen. Apparently the old session hasn't been cleaned up yet when the plugin'sstartup
hook is called?I don't think there is a case when showing the login screen to a GSSAPI/Kerberos user is useful, since the user is effectively permanently "logged in" with HTTP authentication. I'm currently using the following hack as a workaround (basically, redirect back to the current page to make
krb_authenticate
notice that the session is gone), but is there a cleaner way to do this?The text was updated successfully, but these errors were encountered: