Commit b0b971b2 authored by Xavier Guimard's avatar Xavier Guimard

Double session mechanism : 2 cookies are generated, 1 secured, the other not.

Handlers detects automatically the cookie to choose.
parent d23ca2b2
......@@ -4,6 +4,8 @@ lemonldap-ng (0.9.4) unstable; urgency=low
* Session timeout is in seconds and not in minutes in Manager/Help.pm
(Closes: #312339)
* Notification system
* Missing dependency in Debian package (Closes: #521959 / bugs.debian.org)
* Double session mechanism (1 secured and the other not)
-- Xavier Guimard <x.guimard@free.fr> Sun, 08 Feb 2009 20:12:17 +0100
......
......@@ -40,9 +40,9 @@ our (
$cookieName, $portal, $datas,
$globalStorage, $globalStorageOptions, $localStorage,
$localStorageOptions, $whatToTrace, $https,
$refLocalStorage, $safe, $cookieSecured,
$port, $statusPipe, $statusOut,
$customFunctions, $transform,
$refLocalStorage, $safe, $port,
$statusPipe, $statusOut, $customFunctions,
$transform,
);
##########################################
......@@ -65,8 +65,7 @@ BEGIN {
headers => [
qw(
$forgeHeaders lmHeaderIn lmSetHeaderIn lmHeaderOut
lmSetHeaderOut lmSetErrHeaderOut $cookieName $cookieSecured
$https $port
lmSetHeaderOut lmSetErrHeaderOut $cookieName $https $port
)
],
log => [qw(lmSetApacheUser)],
......@@ -557,11 +556,11 @@ sub defaultValuesInit {
# Other values
$cookieName = $args->{cookieName} || $cookieName || 'lemonldap';
$cookieSecured = $args->{cookieSecured} || $cookieSecured || 0;
$whatToTrace = $args->{whatToTrace} || $whatToTrace || 'uid';
$whatToTrace =~ s/\$//g;
$https = $args->{https} unless defined($https);
$https = 1 unless defined($https);
$cookieName .= 'http' if($args->{securedCookie} == 2 and $https == 0);
$port = $args->{port} || 0 unless defined($port);
$customFunctions = $args->{customFunctions};
1;
......
......@@ -60,7 +60,9 @@ inherits from Lemonldap::NG::Portal::SharedConf.</dd>
<dt> Secured cookie (SSL) </dt>
<dd> An authenticated user is known by his cookie. If all (virtual) hosts use
HTTPS, set this value to 1 so the cookie will be protected and will not be
transmitted unless https is used.</dd>
transmitted unless https is used. You can also set it to generate 2 cookies,
1 secure and the other not. Handlers detects if they are in https mode or not
and will choose the good cookie.</dd>
</dl>
EOT
}
......@@ -95,7 +97,11 @@ utilisant Lemonldap::NG::Portal::SharedConf.</dd>
tous les h&ocirc;tes virtuels de votre domaine son prot&eacute;g&eacute;s par
SSL, mettez cette option &agrave; 1, ainsi le cookie ne sera
pr&eacute;sent&eacute; par le navigateur qu'aux sites prot&eacute;g&eacute;s,
ce qui &eacute;vite un vol de session.</dd>
ce qui &eacute;vite un vol de session. Vous pouvez également mettre cette
valeur &agrave; 2 pour g&eacute;n&eacute;rer 2 cookies, l'un
s&eacute;curis&eacute; et l'autre non. Les agents (handlers) d&eacute;tectent
automatiquement s'il sont en mode https ou non et choisissent le bon cookie.
</dd>
</dl>
EOT
}
......
......@@ -68,6 +68,7 @@ sub process {
sub {
my $entry = shift;
my $id = shift;
next if($entry->{_httpSessionType});
push
@{ $byUid->{ $entry->{$whatToTrace} }->{ $entry->{ipAddr} } },
{ id => $id, _utime => $entry->{_utime} };
......@@ -108,6 +109,7 @@ sub process {
sub {
my $entry = shift;
my $id = shift;
next if($entry->{_httpSessionType});
if ( $entry->{ipAddr} =~ /^$reip$/ ) {
push @{ $byUid->{ $entry->{ipAddr} }
->{ $entry->{$whatToTrace} } },
......@@ -149,6 +151,7 @@ sub process {
sub {
my $entry = shift;
my $id = shift;
next if($entry->{_httpSessionType});
if ( $entry->{$whatToTrace} =~ /^$reuser$/ ) {
push @{ $byUid->{ $entry->{$whatToTrace} } },
{ id => $id, _utime => $entry->{_utime} };
......@@ -185,9 +188,16 @@ sub process {
}
else {
my $uid = $h{uid};
if($h{_httpSession}) {
my %h2;
eval { tie %h2, $globalStorage, $h{_httpSession}, $globalStorageOptions; tied(%h2)->delete(); };
if ($@) {
print "<strong>Error : $@</strong><br/>";
}
}
eval { tied(%h)->delete(); };
if ($@) {
print "<strong>Error : $@</strong>\n";
print "<strong>Error : $@</strong><br/>";
}
else {
print "<strong>Session effac&eacute;e ($uid)</strong>";
......@@ -236,6 +246,7 @@ sub process {
sub {
my $entry = shift;
my $id = shift;
next if($entry->{_httpSessionType});
if ( $entry->{ipAddr} eq $ip ) {
push @{ $byUser->{ $entry->{$whatToTrace} } },
{ id => $id, _utime => $entry->{_utime} };
......@@ -264,6 +275,7 @@ sub process {
sub {
my $entry = shift;
my $id = shift;
next if($entry->{_httpSessionType});
if ( $entry->{$whatToTrace} eq $uid ) {
push @{ $byIp->{ $entry->{ipAddr} } },
{ id => $id, _utime => $entry->{_utime} };
......@@ -292,6 +304,7 @@ sub process {
$globalStorageOptions,
sub {
my $entry = shift;
next if($entry->{_httpSessionType});
$entry->{$whatToTrace} =~ /^$letter/ or return undef;
$byUid->{ $entry->{$whatToTrace} }++;
},
......@@ -319,6 +332,7 @@ sub process {
$globalStorageOptions,
sub {
my $entry = shift;
next if($entry->{_httpSessionType});
$entry->{ipAddr} =~ /^$repartial(\d+)/ or return undef;
$byIp->{$1}++;
$count++;
......@@ -358,6 +372,7 @@ sub process {
$globalStorageOptions,
sub {
my $entry = shift;
next if($entry->{_httpSessionType});
$entry->{$whatToTrace} =~ /^(\w)/ or return undef;
$byUid->{$1}++;
$count++;
......
......@@ -703,10 +703,18 @@ sub store {
# Now, user is authenticated => inform Apache
$self->setApacheUser( $self->{sessionInfo}->{ $self->{whatToTrace} } );
$self->{sessionInfo}->{_utime} = time();
if ( $self->{securedCookie} == 2 ) {
my $h2 = $self->getApacheSession(undef);
$h2->{$_} = $self->{sessionInfo}->{$_}
foreach ( keys %{ $self->{sessionInfo} } );
$self->{sessionInfo}->{_httpSession} = $h2->{_session_id};
$h2->{_httpSessionType} = 1;
untie %$h2;
}
my $h = $self->getApacheSession(undef) or return PE_APACHESESSIONERROR;
$h->{$_} = $self->{sessionInfo}->{$_}
foreach ( keys %{ $self->{sessionInfo} } );
$h->{_utime} = time();
untie %$h;
PE_OK;
}
......@@ -725,6 +733,17 @@ sub buildCookie {
-secure => $self->{securedCookie},
@_,
);
if ( $self->{securedCookie} == 2 ) {
push @{ $self->{cookie} },
$self->cookie(
-name => $self->{cookieName}."http",
-value => $self->{sessionInfo}->{_httpSession},
-domain => $self->{domain},
-path => "/",
-secure => 0,
@_,
);
}
PE_OK;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment