[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Re: EPrints webserver authentication, skipping authentication?



Hi all,

Just in case someone meets this same problem, it was solved (in 3.3.10) by modifying the shibboleth/login script from the EPrints webserver authentication add-on to send the secure EPrints cookie along with the standard one:


my @b = ();
srand;
for(1..16) { push @b, sprintf( "%02X",int rand 256 ); }
my $securecode = join( "", @b );

# add ticket to DB
my $ip = $ENV{REMOTE_ADDR};
my $userid = $user->get_id;
# my $sql = "REPLACE INTO loginticket VALUES( '".EPrints::Database::prep_value($code)."', null, $userid, '".EPrints::Database::prep_value($ip)."', ".time.", ".(time+60*60*24*7)." )";
my $sql = "REPLACE INTO loginticket ( code, userid, ip, expires, securecode, time) VALUES( '".EPrints::Database::prep_value($code)."', $userid, '".EPrints::Database::prep_value($ip)."', ".(time+60*60*24*7).", '" . $securecode . "', ".time." )";

...

# make SECURE cookie
my $securecookie = $session->get_query->cookie(
        -name    => "secure_eprints_session",
        -path    => "/",
        -value   => $securecode,
        -domain  => $session->get_repository->get_conf("cookie_domain"),
        -expires => "+6h",
);

# send SECURE cookie in error headers
$r->err_headers_out->add('Set-Cookie' => $securecookie);


Although the IP-based session leak is now prevented by https://github.com/eprints/eprints/commit/a9c66337ec48994a8c481899f1d5a8039a98e8d0


Cheers,

	Jose

-----Original Message-----
From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Paolo Tealdi
Sent: 22 January 2013 15:40
To: eprints-tech at ecs.soton.ac.uk
Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication?


On 01/22/2013 04:14 PM, Jose Martin wrote:

Hi Jos?,

i'm using that plugin (with some small changes that i should get from our  local svn server ) with Shibboleth authentication and i don't see this "feature".
After logged in through Shibboleth  with Firefox from my machine, if i open Chrome the login button redirect me to shibboleth again.
Could be a problem  with YOUR Shibboleth authentication ?
This feature happens also accessing other shibboleth SP ?

Best regards,
Paolo Tealdi


> Hi,
>
> Has anyone implemented EPrints webserver authentication as in http://files.eprints.org/738/?
>
> I have integrated a 3.3.10 repository with an external Shibboleth 
> authentication system, but it seems that once a session is successfully started, you can launch another browser and upon clicking "Login", it will "steal" the other browser's session and display the "Manage deposits | Profile..." options.
>
> Apparently, it reuses the login ticket from the former, valid session.
>
> Has anyone noticed this behaviour as well?
>
> Cheers,
>
>                  Jose
>
> ----
>
> Jose Martin
>
> Digital Repositories Specialist
>
> Research Technologies Group
>
> University of London Computer Centre
>
> Senate House  |  Malet Street  |  London  |  WC1E 7HU
>
> t: +44 (0)20 7863 1342
>
> e: J.Martin at ulcc.ac.uk
>
> w: http://www.ulcc.ac.uk/
>
> b: http://dablog.ulcc.ac.uk/
>
> The University of London is an exempt charity in England and Wales and 
> a charity registered in Scotland (reg. no. SC041194)
>
> ----
>
>
>
> *** Options: 
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
>


-- 
Ing. Paolo Tealdi         Area IT - Politecnico Torino
Telefono/Phone : +39-011-0906714 , FAX : +39-011-0906799 Indirizzo/Address : C.so Duca degli Abruzzi,  24 - 10129 Torino - ITALY Skype : tealdi.paolo Please consider your environmental responsibility before printing this e-mail
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/