I suppose you could make this a layered approach where you use the HTTP authentication to control access and get the username. But then you save the password for that user as a preference.
Another option is to use InfoCards. Here is a very interesting use of it.
https://www.identityblog.com/wp-login.php
That is a PHP blog (Wordpress) but it allows InfoCard for logging into the system. There is an extension for FireFox and Safari. There is a native feature for Windows called Cardspace which is included in Vista and MSIE 7. An InfoCard can securely hold the IMAP username and password.
Brennan
On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" black.myst@free.fr wrote:
Brennan Stehling a écrit :
This looks very useful. Does it also work with Digest Authenticat?
No.
I didn't know Digest Authentication... But Google is my friend :
- http://www.peej.co.uk/projects/phphttpdigest.html
- http://en.wikipedia.org/wiki/Digest_access_authentication
I don't understand all the code (link #1), but there are no moment where the password is known by PHP code. With only a hashed-password, we can't log to IMAP or SMTP server.
RoundCube don't need to authenticate user, RoundCube need user/password to connect to IMAP and SMTP server. Currently, I don't see how to get user/password with Digest Authenticate and I'm not sure that it's possible...
If you have an idea to get password, I will try to implement it.
Note : Currently, I use a new boolean config 'http_authent', but it would be perhaps preferable to choose something of more open like: $rcmail_config['autologin'] = none / http_authent / ... or $rcmail_config['logintype'] = login_page / http_authent / ... It is more extensible. What think about it?
Black Myst.
Brennan
On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" black.myst@free.fr
wrote:
Hello,
There was a bug in my patch :-( When a session expire, the login page displayed...
I fix it by adding code to log-in the user after session expiration. Like this:
else if ($_action!='login' && $_SESSION['user_id']) { if (!rcmail_authenticate_session() || (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime())) { $message = show_message('sessionerror', 'error'); rcmail_kill_session();
// ******** my new code : ******** if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&isset($_SERVER["PHP_AUTH_PW"])) { // With HTTP_authent, we can relog the user rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"], rcmail_autoselect_host()); } } // ******** end of my code ************* }
I joined the new version of my patch.
Black Myst
Black.myst a écrit :
Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
- config/main.inc.php.dist : Add new configuration boolean
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
- skins/default/includes/taskbar.html : Add a roundcube:if to
remove
logout button when used http_authent
- program/include/main.inc : Fixe roundcube:include to parse
roundcube:if in included file. (Else my roundcube:if in
taskbar.html
not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser
requirement
page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst