1388203 - Reuse HTTP authentication for login- PATCH_V2

Black.myst black.myst at free.fr
Thu Dec 21 22:18:59 CET 2006


Brennan Stehling a écrit :
> This looks very useful.  Does it also work with Digest Authenticat?
No.

I didn't know Digest Authentication... But Google is my friend :
  - http://www.peej.co.uk/projects/phphttpdigest.html
  - http://en.wikipedia.org/wiki/Digest_access_authentication

I don't understand all the code (link #1), but there are no moment where 
the password is known by PHP code. With only a hashed-password, we can't 
log to IMAP or SMTP server.

RoundCube don't need to authenticate user, RoundCube need 
user/password to connect to IMAP and SMTP server.
Currently, I don't see how to get user/password with Digest Authenticate 
and I'm not sure that it's possible...

If you have an idea to get password, I will try to implement it.


Note :
Currently, I use a new boolean config 'http_authent', but it would be 
perhaps preferable to choose something of more open like:
    $rcmail_config['autologin'] = none / http_authent / ...
or $rcmail_config['logintype'] = login_page / http_authent / ...
It is more extensible.
What think about it?

Black Myst.

> 
> Brennan
> 
> On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" <black.myst at free.fr> wrote:
>> Hello,
>>
>> There was a bug in my patch :-(
>> When a session expire, the login page displayed...
>>
>>
>> I fix it by adding code to log-in the user after session expiration. 
>> Like this:
>> --------------------------------------------------------------
>> else if ($_action!='login' && $_SESSION['user_id'])
>>    {
>>    if (!rcmail_authenticate_session() ||
>>        (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && 
>> $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))     {
>>      $message = show_message('sessionerror', 'error');
>>      rcmail_kill_session();
>>
>>      // ******** my new code : ********
>>      if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) && 
>> isset($_SERVER["PHP_AUTH_PW"]))
>>        { // With HTTP_authent, we can relog the user
>>        rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"],
>>                rcmail_autoselect_host());
>>        }
>>      }
>>      // ******** end of my code *************
>>    }
>> --------------------------------------------------------------
>>
>>
>> I joined the new version of my patch.
>>
>> Black Myst
>>
>> Black.myst a écrit :
>>> Hello,
>>>
>>> I try to find a issue for bug 1388203 
>>> (http://trac.roundcube.net/trac.cgi/ticket/1388203)
>>>
>>>
>>> Diff explanation :
>>>   - config/main.inc.php.dist : Add new configuration boolean 
>>> 'http_authent'.
>>>    False : use the standard login page. (default)
>>>    True : use $_SERVER["PHP_AUTH_USER"] to log user.
>>>
>>>   - skins/default/includes/taskbar.html : Add a <roundcube:if> to remove
>>> logout button when used http_authent
>>>
>>>   - program/include/main.inc : Fixe <roundcube:include> to parse 
>>> <roundcube:if> in included file. (Else my <roundcube:if> in taskbar.html
>>> not work!)
>>>
>>>   - index.php : Add code to allow http authent.
>>>
>>>   - program/steps/error.inc : Add "Allow cookies" in browser requirement
>>> page. (I display this page (409) if the user disable cookies with 
>>> http_authent)
>>>
>>>
>>> Black Myst
>>>





More information about the Dev mailing list