[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Re: EPrints webserver authentication, skipping authentication?



Thanks for your answer.

I really meant a different browser: if I log in using Chrome and then go to the repo home page using Firefox, it will "borrow" Chrome's session when clicking on the "Login" link without asking for any credentials, nor going through the login script (http://wiki.eprints.org/w/Files/EPrints_webserver_authentication#Add_the_login_script)

It behaves just the same the other way round: authenticating via Firefox and then using a new Chrome window.

And the same login ticket in the DB gets its "expires" value updated, no matter if you are using the "genuine" browser or the "borrower" one.

This, of course, does not happen if the whole Webserver authentication system is disabled.


-----Original Message-----
From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Ian Stuart
Sent: 22 January 2013 15:26
To: eprints-tech at ecs.soton.ac.uk
Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication?

Firstly, it depends on what you mean by "another broswer": if you open another Chrome, Firefox, or IE window, it just reuses the same core process, with another GUI.... so its actually the same as opening another tab.

It depends, to a certain extent, on how the external Shibb authentication was done - but my experience of it (a few years ago now) was that Shibb sets a cookie, which is global for the browser - so the same behaviour would happen for any other service that uses the shibb system (which is where I noticed the behaviour)

You'll also find that if you log out of the service, but don't close the browser, you'll probably be logged in again automagically when you return to the site again.

On 22/01/13 15:14, Jose Martin wrote:
> Hi,
>
> Has anyone implemented EPrints webserver authentication as in 
> http://files.eprints.org/738/?
>
> I have integrated a 3.3.10 repository with an external Shibboleth 
> authentication system, but it seems that once a session is 
> successfully started, you can launch another browser and upon clicking 
> "Login", it will "steal" the other browser's session and display the 
> "Manage deposits | Profile..." options.
>
> Apparently, it reuses the login ticket from the former, valid session.
>
> Has anyone noticed this behaviour as well?
>



-- 

Ian Stuart.
Developer: ORI, RJ-Broker, and OpenDepot.org Bibliographics and Multimedia Service Delivery team, EDINA, The University of Edinburgh.

http://edina.ac.uk/

This email was sent via the University of Edinburgh.

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.


*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/