Double session mechanism : 2 cookies are generated, 1 secured, the other not.
Handlers detects automatically the cookie to choose.
This commit is contained in:
parent
d23ca2b2ba
commit
b0b971b241
|
@ -4,6 +4,8 @@ lemonldap-ng (0.9.4) unstable; urgency=low
|
||||||
* Session timeout is in seconds and not in minutes in Manager/Help.pm
|
* Session timeout is in seconds and not in minutes in Manager/Help.pm
|
||||||
(Closes: #312339)
|
(Closes: #312339)
|
||||||
* Notification system
|
* Notification system
|
||||||
|
* Missing dependency in Debian package (Closes: #521959 / bugs.debian.org)
|
||||||
|
* Double session mechanism (1 secured and the other not)
|
||||||
|
|
||||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 08 Feb 2009 20:12:17 +0100
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 08 Feb 2009 20:12:17 +0100
|
||||||
|
|
||||||
|
|
|
@ -40,9 +40,9 @@ our (
|
||||||
$cookieName, $portal, $datas,
|
$cookieName, $portal, $datas,
|
||||||
$globalStorage, $globalStorageOptions, $localStorage,
|
$globalStorage, $globalStorageOptions, $localStorage,
|
||||||
$localStorageOptions, $whatToTrace, $https,
|
$localStorageOptions, $whatToTrace, $https,
|
||||||
$refLocalStorage, $safe, $cookieSecured,
|
$refLocalStorage, $safe, $port,
|
||||||
$port, $statusPipe, $statusOut,
|
$statusPipe, $statusOut, $customFunctions,
|
||||||
$customFunctions, $transform,
|
$transform,
|
||||||
);
|
);
|
||||||
|
|
||||||
##########################################
|
##########################################
|
||||||
|
@ -65,8 +65,7 @@ BEGIN {
|
||||||
headers => [
|
headers => [
|
||||||
qw(
|
qw(
|
||||||
$forgeHeaders lmHeaderIn lmSetHeaderIn lmHeaderOut
|
$forgeHeaders lmHeaderIn lmSetHeaderIn lmHeaderOut
|
||||||
lmSetHeaderOut lmSetErrHeaderOut $cookieName $cookieSecured
|
lmSetHeaderOut lmSetErrHeaderOut $cookieName $https $port
|
||||||
$https $port
|
|
||||||
)
|
)
|
||||||
],
|
],
|
||||||
log => [qw(lmSetApacheUser)],
|
log => [qw(lmSetApacheUser)],
|
||||||
|
@ -557,11 +556,11 @@ sub defaultValuesInit {
|
||||||
|
|
||||||
# Other values
|
# Other values
|
||||||
$cookieName = $args->{cookieName} || $cookieName || 'lemonldap';
|
$cookieName = $args->{cookieName} || $cookieName || 'lemonldap';
|
||||||
$cookieSecured = $args->{cookieSecured} || $cookieSecured || 0;
|
|
||||||
$whatToTrace = $args->{whatToTrace} || $whatToTrace || 'uid';
|
$whatToTrace = $args->{whatToTrace} || $whatToTrace || 'uid';
|
||||||
$whatToTrace =~ s/\$//g;
|
$whatToTrace =~ s/\$//g;
|
||||||
$https = $args->{https} unless defined($https);
|
$https = $args->{https} unless defined($https);
|
||||||
$https = 1 unless defined($https);
|
$https = 1 unless defined($https);
|
||||||
|
$cookieName .= 'http' if($args->{securedCookie} == 2 and $https == 0);
|
||||||
$port = $args->{port} || 0 unless defined($port);
|
$port = $args->{port} || 0 unless defined($port);
|
||||||
$customFunctions = $args->{customFunctions};
|
$customFunctions = $args->{customFunctions};
|
||||||
1;
|
1;
|
||||||
|
|
|
@ -60,7 +60,9 @@ inherits from Lemonldap::NG::Portal::SharedConf.</dd>
|
||||||
<dt> Secured cookie (SSL) </dt>
|
<dt> Secured cookie (SSL) </dt>
|
||||||
<dd> An authenticated user is known by his cookie. If all (virtual) hosts use
|
<dd> An authenticated user is known by his cookie. If all (virtual) hosts use
|
||||||
HTTPS, set this value to 1 so the cookie will be protected and will not be
|
HTTPS, set this value to 1 so the cookie will be protected and will not be
|
||||||
transmitted unless https is used.</dd>
|
transmitted unless https is used. You can also set it to generate 2 cookies,
|
||||||
|
1 secure and the other not. Handlers detects if they are in https mode or not
|
||||||
|
and will choose the good cookie.</dd>
|
||||||
</dl>
|
</dl>
|
||||||
EOT
|
EOT
|
||||||
}
|
}
|
||||||
|
@ -95,7 +97,11 @@ utilisant Lemonldap::NG::Portal::SharedConf.</dd>
|
||||||
tous les hôtes virtuels de votre domaine son protégés par
|
tous les hôtes virtuels de votre domaine son protégés par
|
||||||
SSL, mettez cette option à 1, ainsi le cookie ne sera
|
SSL, mettez cette option à 1, ainsi le cookie ne sera
|
||||||
présenté par le navigateur qu'aux sites protégés,
|
présenté par le navigateur qu'aux sites protégés,
|
||||||
ce qui évite un vol de session.</dd>
|
ce qui évite un vol de session. Vous pouvez également mettre cette
|
||||||
|
valeur à 2 pour générer 2 cookies, l'un
|
||||||
|
sécurisé et l'autre non. Les agents (handlers) détectent
|
||||||
|
automatiquement s'il sont en mode https ou non et choisissent le bon cookie.
|
||||||
|
</dd>
|
||||||
</dl>
|
</dl>
|
||||||
EOT
|
EOT
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,6 +68,7 @@ sub process {
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
my $id = shift;
|
my $id = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
push
|
push
|
||||||
@{ $byUid->{ $entry->{$whatToTrace} }->{ $entry->{ipAddr} } },
|
@{ $byUid->{ $entry->{$whatToTrace} }->{ $entry->{ipAddr} } },
|
||||||
{ id => $id, _utime => $entry->{_utime} };
|
{ id => $id, _utime => $entry->{_utime} };
|
||||||
|
@ -108,6 +109,7 @@ sub process {
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
my $id = shift;
|
my $id = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
if ( $entry->{ipAddr} =~ /^$reip$/ ) {
|
if ( $entry->{ipAddr} =~ /^$reip$/ ) {
|
||||||
push @{ $byUid->{ $entry->{ipAddr} }
|
push @{ $byUid->{ $entry->{ipAddr} }
|
||||||
->{ $entry->{$whatToTrace} } },
|
->{ $entry->{$whatToTrace} } },
|
||||||
|
@ -149,6 +151,7 @@ sub process {
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
my $id = shift;
|
my $id = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
if ( $entry->{$whatToTrace} =~ /^$reuser$/ ) {
|
if ( $entry->{$whatToTrace} =~ /^$reuser$/ ) {
|
||||||
push @{ $byUid->{ $entry->{$whatToTrace} } },
|
push @{ $byUid->{ $entry->{$whatToTrace} } },
|
||||||
{ id => $id, _utime => $entry->{_utime} };
|
{ id => $id, _utime => $entry->{_utime} };
|
||||||
|
@ -185,9 +188,16 @@ sub process {
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
my $uid = $h{uid};
|
my $uid = $h{uid};
|
||||||
|
if($h{_httpSession}) {
|
||||||
|
my %h2;
|
||||||
|
eval { tie %h2, $globalStorage, $h{_httpSession}, $globalStorageOptions; tied(%h2)->delete(); };
|
||||||
|
if ($@) {
|
||||||
|
print "<strong>Error : $@</strong><br/>";
|
||||||
|
}
|
||||||
|
}
|
||||||
eval { tied(%h)->delete(); };
|
eval { tied(%h)->delete(); };
|
||||||
if ($@) {
|
if ($@) {
|
||||||
print "<strong>Error : $@</strong>\n";
|
print "<strong>Error : $@</strong><br/>";
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
print "<strong>Session effacée ($uid)</strong>";
|
print "<strong>Session effacée ($uid)</strong>";
|
||||||
|
@ -236,6 +246,7 @@ sub process {
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
my $id = shift;
|
my $id = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
if ( $entry->{ipAddr} eq $ip ) {
|
if ( $entry->{ipAddr} eq $ip ) {
|
||||||
push @{ $byUser->{ $entry->{$whatToTrace} } },
|
push @{ $byUser->{ $entry->{$whatToTrace} } },
|
||||||
{ id => $id, _utime => $entry->{_utime} };
|
{ id => $id, _utime => $entry->{_utime} };
|
||||||
|
@ -264,6 +275,7 @@ sub process {
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
my $id = shift;
|
my $id = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
if ( $entry->{$whatToTrace} eq $uid ) {
|
if ( $entry->{$whatToTrace} eq $uid ) {
|
||||||
push @{ $byIp->{ $entry->{ipAddr} } },
|
push @{ $byIp->{ $entry->{ipAddr} } },
|
||||||
{ id => $id, _utime => $entry->{_utime} };
|
{ id => $id, _utime => $entry->{_utime} };
|
||||||
|
@ -292,6 +304,7 @@ sub process {
|
||||||
$globalStorageOptions,
|
$globalStorageOptions,
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
$entry->{$whatToTrace} =~ /^$letter/ or return undef;
|
$entry->{$whatToTrace} =~ /^$letter/ or return undef;
|
||||||
$byUid->{ $entry->{$whatToTrace} }++;
|
$byUid->{ $entry->{$whatToTrace} }++;
|
||||||
},
|
},
|
||||||
|
@ -319,6 +332,7 @@ sub process {
|
||||||
$globalStorageOptions,
|
$globalStorageOptions,
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
$entry->{ipAddr} =~ /^$repartial(\d+)/ or return undef;
|
$entry->{ipAddr} =~ /^$repartial(\d+)/ or return undef;
|
||||||
$byIp->{$1}++;
|
$byIp->{$1}++;
|
||||||
$count++;
|
$count++;
|
||||||
|
@ -358,6 +372,7 @@ sub process {
|
||||||
$globalStorageOptions,
|
$globalStorageOptions,
|
||||||
sub {
|
sub {
|
||||||
my $entry = shift;
|
my $entry = shift;
|
||||||
|
next if($entry->{_httpSessionType});
|
||||||
$entry->{$whatToTrace} =~ /^(\w)/ or return undef;
|
$entry->{$whatToTrace} =~ /^(\w)/ or return undef;
|
||||||
$byUid->{$1}++;
|
$byUid->{$1}++;
|
||||||
$count++;
|
$count++;
|
||||||
|
|
|
@ -703,10 +703,18 @@ sub store {
|
||||||
# Now, user is authenticated => inform Apache
|
# Now, user is authenticated => inform Apache
|
||||||
$self->setApacheUser( $self->{sessionInfo}->{ $self->{whatToTrace} } );
|
$self->setApacheUser( $self->{sessionInfo}->{ $self->{whatToTrace} } );
|
||||||
|
|
||||||
|
$self->{sessionInfo}->{_utime} = time();
|
||||||
|
if ( $self->{securedCookie} == 2 ) {
|
||||||
|
my $h2 = $self->getApacheSession(undef);
|
||||||
|
$h2->{$_} = $self->{sessionInfo}->{$_}
|
||||||
|
foreach ( keys %{ $self->{sessionInfo} } );
|
||||||
|
$self->{sessionInfo}->{_httpSession} = $h2->{_session_id};
|
||||||
|
$h2->{_httpSessionType} = 1;
|
||||||
|
untie %$h2;
|
||||||
|
}
|
||||||
my $h = $self->getApacheSession(undef) or return PE_APACHESESSIONERROR;
|
my $h = $self->getApacheSession(undef) or return PE_APACHESESSIONERROR;
|
||||||
$h->{$_} = $self->{sessionInfo}->{$_}
|
$h->{$_} = $self->{sessionInfo}->{$_}
|
||||||
foreach ( keys %{ $self->{sessionInfo} } );
|
foreach ( keys %{ $self->{sessionInfo} } );
|
||||||
$h->{_utime} = time();
|
|
||||||
untie %$h;
|
untie %$h;
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
@ -725,6 +733,17 @@ sub buildCookie {
|
||||||
-secure => $self->{securedCookie},
|
-secure => $self->{securedCookie},
|
||||||
@_,
|
@_,
|
||||||
);
|
);
|
||||||
|
if ( $self->{securedCookie} == 2 ) {
|
||||||
|
push @{ $self->{cookie} },
|
||||||
|
$self->cookie(
|
||||||
|
-name => $self->{cookieName}."http",
|
||||||
|
-value => $self->{sessionInfo}->{_httpSession},
|
||||||
|
-domain => $self->{domain},
|
||||||
|
-path => "/",
|
||||||
|
-secure => 0,
|
||||||
|
@_,
|
||||||
|
);
|
||||||
|
}
|
||||||
PE_OK;
|
PE_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user