Moodle

NTLM SSO login doesn't work when the login page is requested via POST from other places

Details

  • Type: Sub-task Sub-task
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9
  • Fix Version/s: 1.9.5, 2.0
  • Component/s: Authentication
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE, MOODLE_20_STABLE

Description

Right now the loginpage_hook() of the NTLM SSO authentication only redirects the user to the NTLM machinery when the login page is requested via GET, to avoid a loop when processing the login form (if the NTLM SSO failed, and Moodle fell back to the standard login).

But it seems the login page gets requested via POST from other places as well. For example when we use notice_yesno() to ask for a full user account login (see http://moodle.org/mod/forum/discuss.php?d=93390). So the loginpage_hook() doesn't trigger the NTLM SSO machinery, even if it should. We need to trigger it for GET requests or POST requests coming from other pages (but not self).

In addition to that, we were not storing the Referer in $SESSION->wantsurl if there was one, so we never returned to the right place in those cases.

The attached patch fixes both issues, but I'd like some people to review it before commiting it to CVS.

Saludos. Iñaki.

Attachments

  1. Text File
    ntlm-loginblock-no-sso-19.patch
    06/Aug/09 1:16 AM
    2 kB
    Iñaki Arenaza
  2. File
    ntlm-loginpage-hook-19.diff
    27/Mar/08 4:32 AM
    2 kB
    Iñaki Arenaza
  3. Text File
    ntlm-loginpage-hook-19-v2.diff
    29/Mar/08 1:52 AM
    3 kB
    Iñaki Arenaza

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Iñaki Arenaza added a comment -

Adding some people here to review the patch.

Show
Iñaki Arenaza added a comment - Adding some people here to review the patch.
Hide
Permalink
Iñaki Arenaza added a comment -

The previous patch didn't take into account the case where the user clicks on the 'Continue' link on ntlmsso_finish.php, and it came from the front page or the login block (see the details at http://moodle.org/mod/forum/discuss.php?d=93390#p413161)

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - The previous patch didn't take into account the case where the user clicks on the 'Continue' link on ntlmsso_finish.php, and it came from the front page or the login block (see the details at http://moodle.org/mod/forum/discuss.php?d=93390#p413161) Saludos. Iñaki.
Hide
Permalink
Iñaki Arenaza added a comment -

This should be fixed in the latest CVS version of 1.9 and HEAD.

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - This should be fixed in the latest CVS version of 1.9 and HEAD. Saludos. Iñaki.
Hide
Permalink
Jonathan Harker added a comment -

Hi there,
For one of our clients we had to revert this patch on the latest upgrade to 1.9.5+ because in IE the NTLM SSO was overriding the user/pass entered into the login block on the front page.

Show
Jonathan Harker added a comment - Hi there, For one of our clients we had to revert this patch on the latest upgrade to 1.9.5+ because in IE the NTLM SSO was overriding the user/pass entered into the login block on the front page.
Hide
Permalink
Iñaki Arenaza added a comment -

Hi Jonathan,

this is a known 'feature' / bug. Have a look at http://moodle.org/mod/forum/discuss.php?d=93390#p416035 to see why the login block hasn't been patched to cope with NTLM SSO in the way you expect.

If you really want that behaviour, you can use the second hunk of the patch posted in the link above (which still applies to 1.9.5+ cleanly

Saludos.
Iñaki.

Show
Iñaki Arenaza added a comment - Hi Jonathan, this is a known 'feature' / bug. Have a look at http://moodle.org/mod/forum/discuss.php?d=93390#p416035 to see why the login block hasn't been patched to cope with NTLM SSO in the way you expect. If you really want that behaviour, you can use the second hunk of the patch posted in the link above (which still applies to 1.9.5+ cleanly Saludos. Iñaki.
Hide
Permalink
Iñaki Arenaza added a comment -

Hi again Jonathan,

the second hunk of the patch is not enough. It needs one additional line from the first hunk, so here is a fresh patch against 1.9.5+ (current as of today).

Saludos.
Iñaki.

Show
Iñaki Arenaza added a comment - Hi again Jonathan, the second hunk of the patch is not enough. It needs one additional line from the first hunk, so here is a fresh patch against 1.9.5+ (current as of today). Saludos. Iñaki.

People

Vote (0)
Watch (5)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.