EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #01535


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Re: EPrints webserver authentication, skipping authentication?


It was needed in our 3.3.10 using HTTPS. I guess, basically have a look at the cookies that EPrints would generate by using HTTPS with EPrints native authentication system and make the webserver authentication system do the same.


-----Original Message-----
From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Yuri
Sent: 07 February 2013 11:55
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication?

Il 07/02/2013 12:26, Jose Martin ha scritto:
> Hi all,
>
> Just in case someone meets this same problem, it was solved (in 3.3.10) by modifying the shibboleth/login script from the EPrints webserver authentication add-on to send the secure EPrints cookie along with the standard one:

is this needed in eprints 3.3 or in all eprints version?

>
>
> my @b = ();
> srand;
> for(1..16) { push @b, sprintf( "%02X",int rand 256 ); } my $securecode 
> = join( "", @b );
>
> # add ticket to DB
> my $ip = $ENV{REMOTE_ADDR};
> my $userid = $user->get_id;
> # my $sql = "REPLACE INTO loginticket VALUES( 
> '".EPrints::Database::prep_value($code)."', null, $userid, 
> '".EPrints::Database::prep_value($ip)."', ".time.", 
> ".(time+60*60*24*7)." )"; my $sql = "REPLACE INTO loginticket ( code, 
> userid, ip, expires, securecode, time) VALUES( 
> '".EPrints::Database::prep_value($code)."', $userid, 
> '".EPrints::Database::prep_value($ip)."', ".(time+60*60*24*7).", '" . 
> $securecode . "', ".time." )";
>
> ...
>
> # make SECURE cookie
> my $securecookie = $session->get_query->cookie(
>          -name    =>  "secure_eprints_session",
>          -path    =>  "/",
>          -value   =>  $securecode,
>          -domain  =>  $session->get_repository->get_conf("cookie_domain"),
>          -expires =>  "+6h",
> );
>
> # send SECURE cookie in error headers
> $r->err_headers_out->add('Set-Cookie' =>  $securecookie);
>
>
> Although the IP-based session leak is now prevented by 
> https://github.com/eprints/eprints/commit/a9c66337ec48994a8c481899f1d5
> a8039a98e8d0
>
>
> Cheers,
>
> 	Jose
>
> -----Original Message-----
> From: eprints-tech-bounces@ecs.soton.ac.uk 
> [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Paolo 
> Tealdi
> Sent: 22 January 2013 15:40
> To: eprints-tech@ecs.soton.ac.uk
> Subject: [EP-tech] Re: EPrints webserver authentication, skipping authentication?
>
>
> On 01/22/2013 04:14 PM, Jose Martin wrote:
>
> Hi Josè,
>
> i'm using that plugin (with some small changes that i should get from our  local svn server ) with Shibboleth authentication and i don't see this "feature".
> After logged in through Shibboleth  with Firefox from my machine, if i open Chrome the login button redirect me to shibboleth again.
> Could be a problem  with YOUR Shibboleth authentication ?
> This feature happens also accessing other shibboleth SP ?
>
> Best regards,
> Paolo Tealdi
>
>
>> Hi,
>>
>> Has anyone implemented EPrints webserver authentication as in http://files.eprints.org/738/?
>>
>> I have integrated a 3.3.10 repository with an external Shibboleth 
>> authentication system, but it seems that once a session is successfully started, you can launch another browser and upon clicking "Login", it will "steal" the other browser's session and display the "Manage deposits | Profile..." options.
>>
>> Apparently, it reuses the login ticket from the former, valid session.
>>
>> Has anyone noticed this behaviour as well?
>>
>> Cheers,
>>
>>                   Jose
>>
>> ----
>>
>> Jose Martin
>>
>> Digital Repositories Specialist
>>
>> Research Technologies Group
>>
>> University of London Computer Centre
>>
>> Senate House  |  Malet Street  |  London  |  WC1E 7HU
>>
>> t: +44 (0)20 7863 1342
>>
>> e: J.Martin@ulcc.ac.uk
>>
>> w: http://www.ulcc.ac.uk/
>>
>> b: http://dablog.ulcc.ac.uk/
>>
>> The University of London is an exempt charity in England and Wales 
>> and a charity registered in Scotland (reg. no. SC041194)
>>
>> ----
>>
>>
>>
>> *** Options:
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>> *** Archive: http://www.eprints.org/tech.php/
>> *** EPrints community wiki: http://wiki.eprints.org/
>>
>


*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/