Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
remove logout button when used http_authent
roundcube:if in included file. (Else my roundcube:if in taskbar.html not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser
requirement page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst
--- config/main.inc.php.dist (revision 414) +++ config/main.inc.php.dist (working copy) @@ -77,6 +77,9 @@ // best server supported one) $rcmail_config['smtp_auth_type'] = '';
+// use http authentication : get login and pass from PHP variables +$rcmail_config['http_authent'] = FALSE;
// Log sent messages $rcmail_config['smtp_log'] = TRUE;
--- program/include/main.inc (revision 414) +++ program/include/main.inc (working copy) @@ -1265,7 +1265,7 @@ { $incl = fread($fp, filesize($path)); fclose($fp);
return parse_rcube_xml($incl);
return parse_rcube_xml(parse_rcube_conditions($incl));
}
break;
--- program/steps/error.inc (revision 414) +++ program/steps/error.inc (working copy) @@ -35,6 +35,7 @@
<br /> » JavaScript enabled<br /> » Support for XMLHTTPRequest<br /> +» Allow cookies<br />
<p><i>Your configuration:</i><br /> $user_agent</p> @@ -115,4 +116,4 @@ </html> EOF;
-?> \ No newline at end of file +?> Index: skins/default/includes/taskbar.html =================================================================== --- skins/default/includes/taskbar.html (revision 414) +++ skins/default/includes/taskbar.html (working copy) @@ -2,5 +2,7 @@ <roundcube:button command="mail" label="mail" class="button-mail" /> <roundcube:button command="addressbook" label="addressbook" class="button-addressbook" /> <roundcube:button command="settings" label="settings" class="button-settings" /> +<roundcube:if condition="config:http_authent != true" /> <roundcube:button command="logout" label="logout" class="button-logout" /> -</div> \ No newline at end of file +<roundcube:endif /> +</div> Index: index.php =================================================================== --- index.php (revision 414) +++ index.php (working copy) @@ -162,8 +162,42 @@ }
+// try to log in if http_authen +if ($CONFIG['http_authent'] && (!isset($_SESSION['user_id']) || !rcmail_authenticate_session()))
array('code' => 409,
'type' => 'php',
'message' => "User not allow cookies"),
FALSE,
TRUE);
rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"],
rcmail_autoselect_host()))
array('code' => 401,
'type' => 'imap',
'message' => "Http_authent faild for user :".$_SERVER['PHP_AUTH_USER']),
TRUE,
TRUE);
// try to log in -if ($_action=='login' && $_task=='mail') +else if (!$CONFIG['http_authent'] && $_action=='login' && $_task=='mail') { $host = rcmail_autoselect_host();
Hello,
There was a bug in my patch :-( When a session expire, the login page displayed...
I fix it by adding code to log-in the user after session expiration. Like this:
else if ($_action!='login' && $_SESSION['user_id']) { if (!rcmail_authenticate_session() || (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime())) { $message = show_message('sessionerror', 'error'); rcmail_kill_session();
// ******** my new code : ********
if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&
isset($_SERVER["PHP_AUTH_PW"])) { // With HTTP_authent, we can relog the user rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"], rcmail_autoselect_host()); } } // ******** end of my code ************* }
I joined the new version of my patch.
Black Myst
Black.myst a écrit :
Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
- config/main.inc.php.dist : Add new configuration boolean
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
- skins/default/includes/taskbar.html : Add a roundcube:if to remove
logout button when used http_authent
- program/include/main.inc : Fixe roundcube:include to parse
roundcube:if in included file. (Else my roundcube:if in taskbar.html not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser requirement
page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst
This looks very useful. Does it also work with Digest Authenticat?
Brennan
On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" black.myst@free.fr wrote:
Hello,
There was a bug in my patch :-( When a session expire, the login page displayed...
I fix it by adding code to log-in the user after session expiration. Like this:
else if ($_action!='login' && $_SESSION['user_id']) { if (!rcmail_authenticate_session() || (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime())) { $message = show_message('sessionerror', 'error'); rcmail_kill_session();
// ******** my new code : ******** if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&
isset($_SERVER["PHP_AUTH_PW"])) { // With HTTP_authent, we can relog the user rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"], rcmail_autoselect_host()); } } // ******** end of my code ************* }
I joined the new version of my patch.
Black Myst
Black.myst a écrit :
Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
- config/main.inc.php.dist : Add new configuration boolean
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
- skins/default/includes/taskbar.html : Add a roundcube:if to remove
logout button when used http_authent
- program/include/main.inc : Fixe roundcube:include to parse
roundcube:if in included file. (Else my roundcube:if in taskbar.html
not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser requirement
page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst
Brennan Stehling a écrit :
This looks very useful. Does it also work with Digest Authenticat?
No.
I didn't know Digest Authentication... But Google is my friend :
I don't understand all the code (link #1), but there are no moment where the password is known by PHP code. With only a hashed-password, we can't log to IMAP or SMTP server.
RoundCube don't need to authenticate user, RoundCube need user/password to connect to IMAP and SMTP server. Currently, I don't see how to get user/password with Digest Authenticate and I'm not sure that it's possible...
If you have an idea to get password, I will try to implement it.
Note : Currently, I use a new boolean config 'http_authent', but it would be perhaps preferable to choose something of more open like: $rcmail_config['autologin'] = none / http_authent / ... or $rcmail_config['logintype'] = login_page / http_authent / ... It is more extensible. What think about it?
Black Myst.
Brennan
On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" black.myst@free.fr wrote:
Hello,
There was a bug in my patch :-( When a session expire, the login page displayed...
I fix it by adding code to log-in the user after session expiration. Like this:
else if ($_action!='login' && $_SESSION['user_id']) { if (!rcmail_authenticate_session() || (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime())) { $message = show_message('sessionerror', 'error'); rcmail_kill_session();
// ******** my new code : ******** if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&
isset($_SERVER["PHP_AUTH_PW"])) { // With HTTP_authent, we can relog the user rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"], rcmail_autoselect_host()); } } // ******** end of my code ************* }
I joined the new version of my patch.
Black Myst
Black.myst a écrit :
Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
- config/main.inc.php.dist : Add new configuration boolean
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
- skins/default/includes/taskbar.html : Add a roundcube:if to remove
logout button when used http_authent
- program/include/main.inc : Fixe roundcube:include to parse
roundcube:if in included file. (Else my roundcube:if in taskbar.html not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser requirement
page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst
I suppose you could make this a layered approach where you use the HTTP authentication to control access and get the username. But then you save the password for that user as a preference.
Another option is to use InfoCards. Here is a very interesting use of it.
https://www.identityblog.com/wp-login.php
That is a PHP blog (Wordpress) but it allows InfoCard for logging into the system. There is an extension for FireFox and Safari. There is a native feature for Windows called Cardspace which is included in Vista and MSIE 7. An InfoCard can securely hold the IMAP username and password.
Brennan
On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" black.myst@free.fr wrote:
Brennan Stehling a écrit :
This looks very useful. Does it also work with Digest Authenticat?
No.
I didn't know Digest Authentication... But Google is my friend :
- http://www.peej.co.uk/projects/phphttpdigest.html
- http://en.wikipedia.org/wiki/Digest_access_authentication
I don't understand all the code (link #1), but there are no moment where the password is known by PHP code. With only a hashed-password, we can't log to IMAP or SMTP server.
RoundCube don't need to authenticate user, RoundCube need user/password to connect to IMAP and SMTP server. Currently, I don't see how to get user/password with Digest Authenticate and I'm not sure that it's possible...
If you have an idea to get password, I will try to implement it.
Note : Currently, I use a new boolean config 'http_authent', but it would be perhaps preferable to choose something of more open like: $rcmail_config['autologin'] = none / http_authent / ... or $rcmail_config['logintype'] = login_page / http_authent / ... It is more extensible. What think about it?
Black Myst.
Brennan
On Thu, 21 Dec 2006 17:45:32 +0100, "Black.myst" black.myst@free.fr
wrote:
Hello,
There was a bug in my patch :-( When a session expire, the login page displayed...
I fix it by adding code to log-in the user after session expiration. Like this:
else if ($_action!='login' && $_SESSION['user_id']) { if (!rcmail_authenticate_session() || (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime())) { $message = show_message('sessionerror', 'error'); rcmail_kill_session();
// ******** my new code : ******** if ($CONFIG['http_authent'] && isset($_SERVER["PHP_AUTH_USER"]) &&
isset($_SERVER["PHP_AUTH_PW"])) { // With HTTP_authent, we can relog the user rcmail_login($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"], rcmail_autoselect_host()); } } // ******** end of my code ************* }
I joined the new version of my patch.
Black Myst
Black.myst a écrit :
Hello,
I try to find a issue for bug 1388203 (http://trac.roundcube.net/trac.cgi/ticket/1388203)
Diff explanation :
- config/main.inc.php.dist : Add new configuration boolean
'http_authent'. False : use the standard login page. (default) True : use $_SERVER["PHP_AUTH_USER"] to log user.
- skins/default/includes/taskbar.html : Add a roundcube:if to
remove
logout button when used http_authent
- program/include/main.inc : Fixe roundcube:include to parse
roundcube:if in included file. (Else my roundcube:if in
taskbar.html
not work!)
index.php : Add code to allow http authent.
program/steps/error.inc : Add "Allow cookies" in browser
requirement
page. (I display this page (409) if the user disable cookies with http_authent)
Black Myst
Brennan Stehling a écrit :
I suppose you could make this a layered approach where you use the HTTP authentication to control access and get the username. But then you save the password for that user as a preference.
Yes, I could. But to do this, I need to save the password in database and I don't want to do this for security reason. On my system, passwords were hashed in /etc/shadow and I want no see it somewhere else.
Currently, I know that password is in session, so in the database... But I will fix this problem the next week. With Http_Authent, I don't need to set the password in session.
Another option is to use InfoCards. Here is a very interesting use of it.
https://www.identityblog.com/wp-login.php
That is a PHP blog (Wordpress) but it allows InfoCard for logging into the > system. There is an extension for FireFox and Safari. There is a
native
feature for Windows called Cardspace which is included in Vista and MSIE 7. An InfoCard can securely hold the IMAP username and password.
Maybe. But currently, nobody needs this feature :-)
Black Myst
Brennan
On Thu, 21 Dec 2006 22:18:59 +0100, "Black.myst" black.myst@free.fr wrote:
Brennan Stehling a écrit :
This looks very useful. Does it also work with Digest Authenticat?
No.
I didn't know Digest Authentication... But Google is my friend :
- http://www.peej.co.uk/projects/phphttpdigest.html
- http://en.wikipedia.org/wiki/Digest_access_authentication
I don't understand all the code (link #1), but there are no moment where the password is known by PHP code. With only a hashed-password, we can't log to IMAP or SMTP server.
RoundCube don't need to authenticate user, RoundCube need user/password to connect to IMAP and SMTP server. Currently, I don't see how to get user/password with Digest Authenticate and I'm not sure that it's possible...
If you have an idea to get password, I will try to implement it.
Note : Currently, I use a new boolean config 'http_authent', but it would be perhaps preferable to choose something of more open like: $rcmail_config['autologin'] = none / http_authent / ... or $rcmail_config['logintype'] = login_page / http_authent / ... It is more extensible. What think about it?
Black Myst.