EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #01534


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Re: EPrints webserver authentication, skipping authentication?


Il 07/02/2013 12:26, Jose Martin ha scritto:
Hi all,

Just in case someone meets this same problem, it was solved (in 3.3.10) by modifying the shibboleth/login script from the EPrints webserver authentication add-on to send the secure EPrints cookie along with the standard one:

is this needed in eprints 3.3 or in all eprints version?



my @b = ();
srand;
for(1..16) { push @b, sprintf( "%02X",int rand 256 ); }
my $securecode = join( "", @b );

# add ticket to DB
my $ip = $ENV{REMOTE_ADDR};
my $userid = $user->get_id;
# my $sql = "REPLACE INTO loginticket VALUES( '".EPrints::Database::prep_value($code)."', null, $userid, '".EPrints::Database::prep_value($ip)."', ".time.", ".(time+60*60*24*7)." )";
my $sql = "REPLACE INTO loginticket ( code, userid, ip, expires, securecode, time) VALUES( '".EPrints::Database::prep_value($code)."', $userid, '".EPrints::Database::prep_value($ip)."', ".(time+60*60*24*7).", '" . $securecode . "', ".time." )";

...

# make SECURE cookie
my $securecookie = $session->get_query->cookie(
         -name    =>  "secure_eprints_session",
         -path    =>  "/",
         -value   =>  $securecode,
         -domain  =>  $session->get_repository->get_conf("cookie_domain"),
         -expires =>  "+6h",
);

# send SECURE cookie in error headers
$r->err_headers_out->add('Set-Cookie' =>  $securecookie);


Although the IP-based session leak is now prevented by https://github.com/eprints/eprints/commit/a9c66337ec48994a8c481899f1d5a8039a98e8d0


Cheers,

	Jose

-----Original Message-----
From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Paolo Tealdi
Sent: 22 January 2013 15:40
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication?


On 01/22/2013 04:14 PM, Jose Martin wrote:

Hi Josè,

i'm using that plugin (with some small changes that i should get from our  local svn server ) with Shibboleth authentication and i don't see this "feature".
After logged in through Shibboleth  with Firefox from my machine, if i open Chrome the login button redirect me to shibboleth again.
Could be a problem  with YOUR Shibboleth authentication ?
This feature happens also accessing other shibboleth SP ?

Best regards,
Paolo Tealdi


Hi,

Has anyone implemented EPrints webserver authentication as in http://files.eprints.org/738/?

I have integrated a 3.3.10 repository with an external Shibboleth
authentication system, but it seems that once a session is successfully started, you can launch another browser and upon clicking "Login", it will "steal" the other browser's session and display the "Manage deposits | Profile..." options.

Apparently, it reuses the login ticket from the former, valid session.

Has anyone noticed this behaviour as well?

Cheers,

                  Jose

----

Jose Martin

Digital Repositories Specialist

Research Technologies Group

University of London Computer Centre

Senate House  |  Malet Street  |  London  |  WC1E 7HU

t: +44 (0)20 7863 1342

e: J.Martin@ulcc.ac.uk

w: http://www.ulcc.ac.uk/

b: http://dablog.ulcc.ac.uk/

The University of London is an exempt charity in England and Wales and
a charity registered in Scotland (reg. no. SC041194)

----



*** Options:
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/