default login problem solved (login_if)
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
#75 default login problem solved (login_if)
Hi, i solved a login_if problem. I wonder if someone else experienced this issue!?.
PHPlib 7.2 under Linux 2.4.10 (SuSE 7.3) with Konqueror.
By using the default login feature (var $nobody = true;)i discovered a problem while login in as a specific user (via url?again=yes):
The login form claimed 'Either your username ... are invalid' even if i definitly put in the correct username/password.
I found a vulnerability (bug?) in the *loginform.ihtml files: They use
<form name="login" action="<?php print $this->url() ?>" method=post>
to redirect to the page you come from.
Unfortunately this gives the 'again=yes' back and results in a 'login-loop'.
Hint: Replace the PHP line above with:
<form name="login" action="<?php
$full_url = $this->url();
$url = substr($full_url,0,strpos($full_url,"?"));
print $url; ?>" method=post>
This should fix the problem.
Sascha
Logged In: YES
user_id=19736
Wouldn't this crush any GET requests during the login
process? The 'again' needs to be stripped but not all of
the GET request.
See comment in top of pages/defauth.php3 for a better way to
remove the 'again'.
Well. that's a pain.. here's the copy.. :)
// Remove the "again=yes" from QUERY_STRING. This is required
// because the login form will be submitted to the URL of this
// page. This URL is constructed from $PHP_SELF and
$QUERY_STRING.
// So, we need to remove this parameter from QUERY_STRING
or else
// after the user submits a username and password, we will
unauth
// them before they even get logged in!
$HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace(
"(^|&)again=yes(&|$)",
"\\1", $HTTP_SERVER_VARS["QUERY_STRING"]);
Marking this as a documentation bug, as it something that
needs to be added to the docs
:)
Logged In: YES
user_id=279065
Why is this a doc bug instead of fixing code as suggested
in defauth.php3?
Color me confused,
..chris
Logged In: YES
user_id=19736
Becasue the ?again=yes syntax is specfic to the example pages.
There's no magic flag in the auth code the looks for again
and forces a login if it's there, that is left up to the end
user. IMHO, this is better becasie it can be more flexible
(a developer can use any flag they so desire); however, it
also means that the user/devloper needs to remove her
specific relogin flag at reauth time to avoid the loop.
It's a doc bug because I don't think it's clear that the
again=yes symantics are examples, and not hardcoded class
restrictions. Also, the documentation should be updated to
remind the devloper to remove her flag before begining the
login process.
In the end it may be better to implement this is a class
option; however I don't feel that is a prudent thing to do
in 7.x.
Logged In: NO
Hi Nathan,
your solution with 'ereg_replace' is much smarter than mine ;-) BUT:
My understanding is, that everyone working with 'default login' is experiencing this issue. Therefore it might make sense to implement this into the library itself.
By creating an object inherited from 'Auth' the programmer is able to decide if 'default login' is allowed. What about to define the magic token (default 'again=yes') in this context. Then the actual code is able to remove this during the login procedure.
Cheers,
Sascha