[Freeipa-devel] [PATCH 64] Implement password based session login

Sun Feb 26 20:54:48 UTC 2012

On 02/26/2012 03:38 PM, Rob Crittenden wrote:
> John Dennis wrote:
>> This patch adds support for password based session login (see detailed
>> comments in patch)
>>
>> Only the server side is implemented, someone will have to add password
>> based login to the UI, when they do they should update the unauthorized
>> messges to include the new method, those message occur in two places.
>>
>> * in install/html/unauthorized.html
>> * in the function error_handler() in install/ui/ipa.js:442
>>
>> Sending the login requires sending the username (not the principal) and
>> password as application/x-www-form-urlencoded parameters in a GET or
>> POST request. Note, I only tested GET, but POST should work. Attached is
>> a curl script I used to test (send_login_password).
>>
>> There is one other minor issue not included in any previous patches nor
>> this one, the VERSION file should be updated to force the apache
>> configuration to be updated.
>
> If one keeps running the script more and more cookies get set each time
> (it seems to add a new session every other request). I ended up with:
>
> <  HTTP/1.1 200 Success
> <  Date: Sun, 26 Feb 2012 20:36:38 GMT
> <  Server: Apache/2.2.21 (Fedora)
> <  Set-Cookie: ipa_session=905b903b164cc8449a1619f610012ad0; httponly;
> Path=/ipa; secure
> <  Set-Cookie: ipa_session=296d1c815326806be5dc609593950787; httponly;
> Path=/ipa; secure
> <  Set-Cookie: ipa_session=0a3ddb3e43f093f54acac0568bf2c8af; httponly;
> Path=/ipa; secure
> <  Set-Cookie: ipa_session=df4b39d4fe659ebfc401ee154c32fd1d; httponly;
> Path=/ipa; secure
> <  Set-Cookie: ipa_session=10ce26f372355b7ed2d11f34dbce8edf; httponly;
> Path=/ipa; secure
> <  Content-Length: 0
> <  Connection: close
> <  Content-Type: text/plain; charset=UTF-8
> <
> * Closing connection #0
>
> It also looks like some of the sessions only appear from time to time.
> For example, the next request I did did not contain
> 905b903b164cc8449a1619f610012ad0 but the one after that did again.

I assume you're running the script I attached. The reason why you keep 
getting new sessions is because the script does not send the previous 
cookie back, from the server's perspective these all appear to be new 
login requests. Sessions are not tracked by user, they are tracked by 
session id.

FWIW, there is a curl option to resend the cookies from the response it 
saved last time, I did not enable that in the script, but you could try 
it if you wish.

I'm not sure about the every other request behavior, I'll look into that.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/