Brennan Stehling a écrit :
This looks very useful. Does it also work with Digest Authenticat?
No.
I didn't know Digest Authentication... But Google is my friend :
- http://www.peej.co.uk/projects/phphttpdigest.html
- http://en.wikipedia.org/wiki/Digest_access_authentication
I don't understand all the code (link #1), but there are no moment where the password is known by PHP code. With only a hashed-password, we can't log to IMAP or SMTP server.
RoundCube don't need to authenticate user, RoundCube need user/password to connect to IMAP and SMTP server. Currently, I don't see how to get user/password with Digest Authenticate and I'm not sure that it's possible...
If you have an idea to get password, I will try to implement it.
Note : Currently, I use a new boolean config 'http_authent', but it would be perhaps preferable to choose something of more open like: $rcmail_config['autologin'] = none / http_authent / ... or $rcmail_config['logintype'] = login_page / http_authent / ... It is more extensible. What think about it?
Black Myst.
Brennan
On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" black.myst@free.fr wrote:
Hello,
There was a bug in my patch :-( When a session expire, the login page displayed...
I fix it by adding code to log-in the user after session expiration. Like this:
else if ($_action!='login' && $_SESSION['user_id']) { if (!rcmail_authenticate_session() || (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime())) { $message = show_message('sessionerror', 'error'); rcmail_kill_session();
// ******** my new code : ******** if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&isset($_SERVER["PHP_AUTH_PW"])) { // With HTTP_authent, we can relog the user rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"], rcmail_autoselect_host()); } } // ******** end of my code ************* }
I joined the new version of my patch.
Black Myst
Black.myst a écrit :
Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
- config/main.inc.php.dist : Add new configuration boolean
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
- skins/default/includes/taskbar.html : Add a roundcube:if to remove
logout button when used http_authent
- program/include/main.inc : Fixe roundcube:include to parse
roundcube:if in included file. (Else my roundcube:if in taskbar.html not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser requirement
page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst