Module: External Authentication

Quote
hansvd
Based on the base plugin, I have put together a plugin for group-office. (www.group-office.com). I found it hard to write a function that is running in the GO scope and extracts the username. Therefore, I tried --and succeeded (by accident??)-- to pick up the GO session extract the user data from there. As GO doesn't hold the MD5 hash of the user's password in the session, I disabled password synchronisation.

I am new to PHP development and I am unsure whether this (playing around with the session) is the right thing to do. But on my test system (Windows/XAMPP), it's working like a charm. Before anyone deploys this plugin, I would like the Phorum gurus to give their opinion on my piece of art.

This is the correct way to get the initial session data and will work, however, without actually comparing the session data to what GO has in its database, you are leaving out a crucial security step. Without confirming the session data, it would be possible for me to create a false cookie with the admin username and thus gain access to the Phorum admin login.

Quote

I have only made edits to hook_user_session_restore.php and info.php. I left the other files untouched and I am not sure whether I can delete them from the plugin.

Yes, you can (and probably should) remove the unnecessary files. The code checks for file existence before it calls any file so no errors should be generated.

I am glad you were able to get started with the integration of GO, but I would strongly suggest to find the means to confirm the GO session against the GO database before going live with this. I would start with looking at GO's own code for authenticating the session and copying/modifying that for your needs here. The other important factor is entering the proper application path on the settings page in the Admin section for the module. For working with Elgg on my own test server with windows/xampp, I used "c:\xampp\htdocs\elgg" as the application path.

Good luck!

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald

There's a big chance that trusting the session data is fine. If there is data in $_SESSION that indicates the logged in user, that data is put in there by the GO application. One cannot directly feed the session data from a cookie. All that a cookie is used for in sessions, is to find the data for the session. In this respect, $_SESSION data normally can be trusted.

If the authentication is done by providing a cookie with the user that has to be authenticated, then that would be a big flaw indeed, but I can hardly believe that there still would be serious projects that utilize this method.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Thanks for your kind&prompt feedback.

Before I submitted the plugin, I tested whether it was impossible to get into Phorum if the user is logged out of GO, which is the case.

Just now, I did another test: logged a user in into GO. Then, I deleted the session on the server (by deleting the session file in the tmp directory). As I didn't do anything to at the client side, the cookie was still there. In my opinion, this is the same as feeding a forged cookie to both applications. When I opened Phorum, I got the view of an non-logged-in user, which is OK. When clicking any tab in GO, it immediately threw a login screen at me, which is also OK.

Can you suggest any other test to challenge the security of the plugin?

I guess I am overly paranoid :-). Thank you for weighing in Maurice, I was not really aware of the security built into the $_SESSION data. It also sounds like you did a good job of testing the various scenarios hansvd.

Thanks for making your plugin publicly available. I will add it to the full download of the module (sans the extra files).

As you are the first to make a plugin like this available, I realize I didn't setup any way to show recognition for the plugin creator. I think I will add an author field to the info.php file for each plugin which will show on the settings page when the plugin is selected. I will prefill this with hansvd for you, but if you would like anything else instead, please let me know.

Again, thanks for your work on this.

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald

No real need for recognition. The kindness with which I was accepted as a first time poster on this forum is more than enough. If you insist: in the area where I live, this is the very best way to show recognition.

Cheers!

i have a question:

I fought with this exact situation last summer. the one issue that was sticky was that i added phorum to a site that had been up for a while already and i had hundreds of thousands of users, yet the phorum db was empty. it seems this module syncs "from this point forward" but i don't see any reference to dealing with legacy/existing users.

i guess the question is "how do you deal with existing users in the external app?"

[edit] i have a couple latent issues with my bit, and i'm looking to see if i should change over to yours or just attempt to fix the problems.



Edited 1 time(s). Last edit at 02/09/2009 04:46PM by sazaraki.

The Group-Office plugin will create the user in Phorum as soon as he/she reaches Phorum from a Group-Office session. As I exactly followed the method suggested by the plugin template, I assume all plugins --also new ones to come-- will share that behaviour.

The nice thing about this approach is that actually nohting happens or needs to be done when a user is created in the "master" system, thus eliminating possible issues with legacy users as you describe above.

Quote
hansvd
The nice thing about this approach is that actually nohting happens or needs to be done when a user is created in the "master" system, thus eliminating possible issues with legacy users as you describe above.

right that's the approach that i took. but i'm having problems with it. i'll detail it on another thread.

What is the chances to see a Website Baker (v 2.7) plugin for this module? I'm running Phorum v. 5.2.10.

Well, the chances are much better now that you asked for one :) Unfortunately, I have a number of projects on my list, so I won't be able to get around to this anytime soon. If anyone else would care to give it a try they are welcome to it. Otherwise give me a least a couple of months before I can get to this.

---

Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald