EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #01534
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] Re: EPrints webserver authentication, skipping authentication?
- To: eprints-tech@ecs.soton.ac.uk
- Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- From: Yuri <yurj@alfa.it>
- Date: Thu, 07 Feb 2013 12:55:24 +0100
Il 07/02/2013 12:26, Jose Martin ha scritto:
Hi all, Just in case someone meets this same problem, it was solved (in 3.3.10) by modifying the shibboleth/login script from the EPrints webserver authentication add-on to send the secure EPrints cookie along with the standard one:
is this needed in eprints 3.3 or in all eprints version?
my @b = (); srand; for(1..16) { push @b, sprintf( "%02X",int rand 256 ); } my $securecode = join( "", @b ); # add ticket to DB my $ip = $ENV{REMOTE_ADDR}; my $userid = $user->get_id; # my $sql = "REPLACE INTO loginticket VALUES( '".EPrints::Database::prep_value($code)."', null, $userid, '".EPrints::Database::prep_value($ip)."', ".time.", ".(time+60*60*24*7)." )"; my $sql = "REPLACE INTO loginticket ( code, userid, ip, expires, securecode, time) VALUES( '".EPrints::Database::prep_value($code)."', $userid, '".EPrints::Database::prep_value($ip)."', ".(time+60*60*24*7).", '" . $securecode . "', ".time." )"; ... # make SECURE cookie my $securecookie = $session->get_query->cookie( -name => "secure_eprints_session", -path => "/", -value => $securecode, -domain => $session->get_repository->get_conf("cookie_domain"), -expires => "+6h", ); # send SECURE cookie in error headers $r->err_headers_out->add('Set-Cookie' => $securecookie); Although the IP-based session leak is now prevented by https://github.com/eprints/eprints/commit/a9c66337ec48994a8c481899f1d5a8039a98e8d0 Cheers, Jose -----Original Message----- From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Paolo Tealdi Sent: 22 January 2013 15:40 To: eprints-tech@ecs.soton.ac.uk Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication? On 01/22/2013 04:14 PM, Jose Martin wrote: Hi Josè, i'm using that plugin (with some small changes that i should get from our local svn server ) with Shibboleth authentication and i don't see this "feature". After logged in through Shibboleth with Firefox from my machine, if i open Chrome the login button redirect me to shibboleth again. Could be a problem with YOUR Shibboleth authentication ? This feature happens also accessing other shibboleth SP ? Best regards, Paolo TealdiHi, Has anyone implemented EPrints webserver authentication as in http://files.eprints.org/738/? I have integrated a 3.3.10 repository with an external Shibboleth authentication system, but it seems that once a session is successfully started, you can launch another browser and upon clicking "Login", it will "steal" the other browser's session and display the "Manage deposits | Profile..." options. Apparently, it reuses the login ticket from the former, valid session. Has anyone noticed this behaviour as well? Cheers, Jose ---- Jose Martin Digital Repositories Specialist Research Technologies Group University of London Computer Centre Senate House | Malet Street | London | WC1E 7HU t: +44 (0)20 7863 1342 e: J.Martin@ulcc.ac.uk w: http://www.ulcc.ac.uk/ b: http://dablog.ulcc.ac.uk/ The University of London is an exempt charity in England and Wales and a charity registered in Scotland (reg. no. SC041194) ---- *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/
- Follow-Ups:
- [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- From: Tim Brody <tdb2@ecs.soton.ac.uk>
- [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- References:
- [EP-tech] EPrints webserver authentication, skipping authentication?
- From: Jose Martin <J.Martin@ulcc.ac.uk>
- [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- From: Paolo Tealdi <paolo.tealdi@polito.it>
- [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- From: Jose Martin <J.Martin@ulcc.ac.uk>
- [EP-tech] EPrints webserver authentication, skipping authentication?
- Prev by Date: [EP-tech] Eprints and ebook readers
- Next by Date: [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- Previous by thread: [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- Next by thread: [EP-tech] Re: EPrints webserver authentication, skipping authentication?
- Index(es):