1388203 - Reuse HTTP authentication for login-PATCH_V2

Brennan Stehling brennan at offwhite.net
Thu Dec 21 22:26:52 CET 2006


I suppose you could make this a layered approach where you use the HTTP authentication to control access and get the username.  But then you save the password for that user as a preference.

Another option is to use InfoCards.  Here is a very interesting use of it.

https://www.identityblog.com/wp-login.php

That is a PHP blog (Wordpress) but it allows InfoCard for logging into the system.  There is an extension for FireFox and Safari.  There is a native feature for Windows called Cardspace which is included in Vista and MSIE 7.  An InfoCard can securely hold the IMAP username and password.

Brennan

On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" <black.myst at free.fr> wrote:
> Brennan Stehling a écrit :
>> This looks very useful.  Does it also work with Digest Authenticat?
> No.
> 
> I didn't know Digest Authentication... But Google is my friend :
>   - http://www.peej.co.uk/projects/phphttpdigest.html
>   - http://en.wikipedia.org/wiki/Digest_access_authentication
> 
> I don't understand all the code (link #1), but there are no moment where
> the password is known by PHP code. With only a hashed-password, we can't
> log to IMAP or SMTP server.
> 
> RoundCube don't need to authenticate user, RoundCube need
> user/password to connect to IMAP and SMTP server.
> Currently, I don't see how to get user/password with Digest Authenticate
> and I'm not sure that it's possible...
> 
> If you have an idea to get password, I will try to implement it.
> 
> 
> Note :
> Currently, I use a new boolean config 'http_authent', but it would be
> perhaps preferable to choose something of more open like:
>     $rcmail_config['autologin'] = none / http_authent / ...
> or $rcmail_config['logintype'] = login_page / http_authent / ...
> It is more extensible.
> What think about it?
> 
> Black Myst.
> 
>>
>> Brennan
>>
>> On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" <black.myst at free.fr>
> wrote:
>>> Hello,
>>>
>>> There was a bug in my patch :-(
>>> When a session expire, the login page displayed...
>>>
>>>
>>> I fix it by adding code to log-in the user after session expiration.
>>> Like this:
>>> --------------------------------------------------------------
>>> else if ($_action!='login' && $_SESSION['user_id'])
>>>    {
>>>    if (!rcmail_authenticate_session() ||
>>>        (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) &&
>>> $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))     {
>>>      $message = show_message('sessionerror', 'error');
>>>      rcmail_kill_session();
>>>
>>>      // ******** my new code : ********
>>>      if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&
>>> isset($_SERVER["PHP_AUTH_PW"]))
>>>        { // With HTTP_authent, we can relog the user
>>>        rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"],
>>>                rcmail_autoselect_host());
>>>        }
>>>      }
>>>      // ******** end of my code *************
>>>    }
>>> --------------------------------------------------------------
>>>
>>>
>>> I joined the new version of my patch.
>>>
>>> Black Myst
>>>
>>> Black.myst a écrit :
>>>> Hello,
>>>>
>>>> I try to find a issue for bug 1388203
>>>> (http://trac.roundcube.net/trac.cgi/ticket/1388203)
>>>>
>>>>
>>>> Diff explanation :
>>>>   - config/main.inc.php.dist : Add new configuration boolean
>>>> 'http_authent'.
>>>>    False : use the standard login page. (default)
>>>>    True : use $_SERVER["PHP_AUTH_USER"] to log user.
>>>>
>>>>   - skins/default/includes/taskbar.html : Add a <roundcube:if> to
> remove
>>>> logout button when used http_authent
>>>>
>>>>   - program/include/main.inc : Fixe <roundcube:include> to parse
>>>> <roundcube:if> in included file. (Else my <roundcube:if> in
> taskbar.html
>>>> not work!)
>>>>
>>>>   - index.php : Add code to allow http authent.
>>>>
>>>>   - program/steps/error.inc : Add "Allow cookies" in browser
> requirement
>>>> page. (I display this page (409) if the user disable cookies with
>>>> http_authent)
>>>>
>>>>
>>>> Black Myst
>>>>
-- 
Brennan Stehling
Offwhite.net LLC
brennan at offwhite.net





More information about the Dev mailing list