login_auth plugin - a couple of bugs (with fixes)

Summary:

Using the login_auth plugin, if I navigate away from squirrelmail
without properly signing out and then try to return to the page, I get
“Unknown user or password incorrect”. The same error then persists on
trying to refresh or reload the page. The plugin works fine when first
logging in or if I correctly sign out before leaving squirrelmail.

Details:

The problem occurs when we try to create an imap connection in
src/redirect.php. The session variable ‘user_is_logged_in’ gets unset,
so we try to log the user in again. The hook ‘login_before’ is called
but does not succeed in setting $login_username or $secretkey to
anything useful, because it can’t get the relevant variables
$login_auth, $login_auth_pass and $login_auth_user from SQ_SESSION. I’m
guessing that the relevant session has been destroyed before this hook
is called.
Present in squirrelmail 1.4.4 (the current Debian version) with PHP
4.3.10 on a standard Debian sarge install. Not tested against anything else.

Fix (or at least workaround... there may well be a better way):

I’m not sure that the session is not being destroyed for a good reason,
and I’d sooner change the plugin than the workings of squirrelmail. So,
we will make the assumption that if the login_auth plugin is loaded and
if PHP_AUTH_USER and PHP_AUTH_PASS are set, then we must surely want to
use them, and stop placing any reliance on the existence of a
squirrelmail session.

function login_auth_login_before_do()

{
global $just_logged_in, $login_username, $secretkey;
sqgetGlobalVar('PHP_AUTH_USER', $PHP_AUTH_USER, SQ_SERVER);
sqgetGlobalVar('PHP_AUTH_PW', $PHP_AUTH_PW, SQ_SERVER);
if (empty($PHP_AUTH_USER) || empty($PHP_AUTH_PW))
return;
$login_username = $PHP_AUTH_USER;
$secretkey = $PHP_AUTH_PW;
$just_logged_in = 1;
}

Other thoughts:

The use of HTTP authentication fundamentally breaks the Sign Out
function and we should not be telling users that they are successfully
signed out when clicking on Login will take them straight back in with
no further security checks. We should display an alternative signout
page when login_auth is used, telling users that they must close the
browser in order to log out. We might as well refrain from destroying
the session in this case too, so that if they hit the Back button they
get straight back in (which they would via the Login link anyway, so
it's no loss in security terms).

An updated version with fixes for both is at
http://xenon.dunnett.org/login_auth2.1-1.4.x.tar.gz

Comments welcome.

Regards,

Keith







-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
--
squirrelmail-plugins mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-plugins@...
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.plugins
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id931
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins