Menu
▾
▴
#1 Internal redirects break cosign redirection
When cosign is being run on a site that uses mod_rewrite to restructure the namespace, the redirect back to a page from the weblogin server can end up going to the wrong location. The specific case we're seeing this in is where a PHP directory is protected with a .htaccess file that invokes cosign. Other areas of the site which use mod_rewrite to point to that PHP directory work fine when a redirect to the weblogin server isn't required, but when one is performed, the user is directed back to the PHP directory, rather than to the URI they originally requested. This is with Apache 1.3 - I haven't yet reviewed the Apache 2 code to see if the same problem exists
Test case:
$SITEHTML/foo/ contains a .htaccess file containing:
RewriteEngine On
RewriteBase /foo/
RewriteRule ^([_0-9a-zA-z-)+/)?(bar.*) $2 [L]
$SITEHTML/bar/ contains a .htaccess with
CosignProtected On
AuthType Cosign
Require valid-user
A request for http://SITE/foo/bar/test.php which requires a redirect to the cosign server will return the user to http://SITE/bar/test.php
This is because the set_cookie_and_redirect() function pulls the unparsed_uri field from the structure of the current request (that is, the one that invoked cosign), rather than from the request that the user initiated. Whilst this problem could be fixed by careful configuration by the site administrator, a fix is also possible in cosign itself - by extracting the URI from the first request submitted by the user, rather than from the internal-redirect which triggered the authentication.
A lightly tested patch which implements this is attached for comment.
Cheers,
Simon.
Discussion
Anonymous
Simon, I'm not sure how we let this go so long without discussion. It looks pretty reasonable to me. Have you been using it at all?