EPrints Technical Mailing List Archive

Message: #01537

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Re: EPrints webserver authentication, skipping authentication?

Only applies to 3.3, which has http and https cookies (better security).

/Tim.

On Thu, 07 Feb 2013 12:55:24 +0100, Yuri <yurj@alfa.it> wrote:
> Il 07/02/2013 12:26, Jose Martin ha scritto:
>> Hi all,
>>
>> Just in case someone meets this same problem, it was solved (in 3.3.10)
>> by modifying the shibboleth/login script from the EPrints webserver
>> authentication add-on to send the secure EPrints cookie along with the
>> standard one:
> 
> is this needed in eprints 3.3 or in all eprints version?
> 
>>
>>
>> my @b = ();
>> srand;
>> for(1..16) { push @b, sprintf( "%02X",int rand 256 ); }
>> my $securecode = join( "", @b );
>>
>> # add ticket to DB
>> my $ip = $ENV{REMOTE_ADDR};
>> my $userid = $user->get_id;
>> # my $sql = "REPLACE INTO loginticket VALUES(
>> '".EPrints::Database::prep_value($code)."', null, $userid,
>> '".EPrints::Database::prep_value($ip)."', ".time.",
>> ".(time+60*60*24*7)." )";
>> my $sql = "REPLACE INTO loginticket ( code, userid, ip, expires,
>> securecode, time) VALUES( '".EPrints::Database::prep_value($code)."',
>> $userid, '".EPrints::Database::prep_value($ip)."',
>> ".(time+60*60*24*7).", '" . $securecode . "', ".time." )";
>>
>> ...
>>
>> # make SECURE cookie
>> my $securecookie = $session->get_query->cookie(
>>          -name    =>  "secure_eprints_session",
>>          -path    =>  "/",
>>          -value   =>  $securecode,
>>          -domain  => 
>>          $session->get_repository->get_conf("cookie_domain"),
>>          -expires =>  "+6h",
>> );
>>
>> # send SECURE cookie in error headers
>> $r->err_headers_out->add('Set-Cookie' =>  $securecookie);
>>
>>
>> Although the IP-based session leak is now prevented by
>>
https://github.com/eprints/eprints/commit/a9c66337ec48994a8c481899f1d5a8039a98e8d0
>>
>>
>> Cheers,
>>
>> 	Jose
>>
>> -----Original Message-----
>> From: eprints-tech-bounces@ecs.soton.ac.uk
>> [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Paolo Tealdi
>> Sent: 22 January 2013 15:40
>> To: eprints-tech@ecs.soton.ac.uk
>> Subject: [EP-tech] Re: EPrints webserver authentication, skipping
>> authentication?
>>
>>
>> On 01/22/2013 04:14 PM, Jose Martin wrote:
>>
>> Hi Josè,
>>
>> i'm using that plugin (with some small changes that i should get from
our
>>  local svn server ) with Shibboleth authentication and i don't see this
>> "feature".
>> After logged in through Shibboleth  with Firefox from my machine, if i
>> open Chrome the login button redirect me to shibboleth again.
>> Could be a problem  with YOUR Shibboleth authentication ?
>> This feature happens also accessing other shibboleth SP ?
>>
>> Best regards,
>> Paolo Tealdi
>>
>>
>>> Hi,
>>>
>>> Has anyone implemented EPrints webserver authentication as in
>>> http://files.eprints.org/738/?
>>>
>>> I have integrated a 3.3.10 repository with an external Shibboleth
>>> authentication system, but it seems that once a session is successfully
>>> started, you can launch another browser and upon clicking "Login", it
>>> will "steal" the other browser's session and display the "Manage
>>> deposits | Profile..." options.
>>>
>>> Apparently, it reuses the login ticket from the former, valid session.
>>>
>>> Has anyone noticed this behaviour as well?
>>>
>>> Cheers,
>>>
>>>                   Jose
>>>
>>> ----
>>>
>>> Jose Martin
>>>
>>> Digital Repositories Specialist
>>>
>>> Research Technologies Group
>>>
>>> University of London Computer Centre
>>>
>>> Senate House  |  Malet Street  |  London  |  WC1E 7HU
>>>
>>> t: +44 (0)20 7863 1342
>>>
>>> e: J.Martin@ulcc.ac.uk
>>>
>>> w: http://www.ulcc.ac.uk/
>>>
>>> b: http://dablog.ulcc.ac.uk/
>>>
>>> The University of London is an exempt charity in England and Wales and
>>> a charity registered in Scotland (reg. no. SC041194)
>>>
>>> ----
>>>
>>>
>>>
>>> *** Options:
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>> *** Archive: http://www.eprints.org/tech.php/
>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>
>>
> 
> 
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/

-- 
All the best,
Tim.