From 4d8463546a66166237914b018889f218ce5950a9 Mon Sep 17 00:00:00 2001 From: Jeff Godin Date: Fri, 12 Oct 2012 09:44:25 -0400 Subject: [PATCH] Enable optional shared ses cookie for SSO-like use Enable a shared ses cookie which is set at the domain level and can then be used by other web based systems to verify an Evergreen user. One example would be EZproxy with one of the CGI authentication options. Signed-off-by: Jeff Godin --- .../src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm | 67 +++++++++++++++------- 1 file changed, 45 insertions(+), 22 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm index 5d536dd2d2..b477481217 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm @@ -27,6 +27,7 @@ use OpenILS::WWW::EGCatLoader::SMS; my $U = 'OpenILS::Application::AppUtils'; use constant COOKIE_SES => 'ses'; +use constant COOKIE_SHARED_SES => 'shared_ses'; use constant COOKIE_LOGGEDIN => 'eg_loggedin'; use constant COOKIE_PHYSICAL_LOC => 'eg_physical_loc'; use constant COOKIE_SSS_EXPAND => 'eg_sss_expand'; @@ -258,7 +259,7 @@ sub load_common { $ctx->{home_page} = $ctx->{proto} . '://' . $ctx->{hostname} . $self->ctx->{opac_root} . "/home"; $ctx->{logout_page} = ($ctx->{proto} eq 'http' ? 'https' : $ctx->{proto} ) . '://' . $ctx->{hostname} . $self->ctx->{opac_root} . "/logout"; - if($e->authtoken($self->cgi->cookie(COOKIE_SES))) { + if($e->authtoken($self->cgi->cookie(COOKIE_SES)) || $e->authtoken($self->cgi->cookie(COOKIE_SHARED_SES))) { if($e->checkauth) { @@ -415,27 +416,42 @@ sub load_login { # both login-related cookies should expire at the same time my $login_cookie_expires = ($persist) ? CORE::time + $response->{payload}->{authtime} : undef; + my $cookies = [ + # contains the actual auth token and should be sent only over https + $cgi->cookie( + -name => COOKIE_SES, + -path => '/', + -secure => 1, + -value => $response->{payload}->{authtoken}, + -expires => $login_cookie_expires + ), + # contains only a hint that we are logged in, and is used to + # trigger a redirect to https + $cgi->cookie( + -name => COOKIE_LOGGEDIN, + -path => '/', + -secure => 0, + -value => '1', + -expires => $login_cookie_expires + ) + ]; + + if (defined($ENV{shared_ses_domain} && $self->apache->hostname =~ /$ENV{shares_ses_domain}/)) { + push @$cookies, + # an optional domain-shared copy of the auth token, useful for + # some SSO-like environments + $cgi->cookie( + -name => COOKIE_SHARED_SES, + -path => '/', + -domain => $ENV{shared_ses_domain}, + -secure => 1, + -value => $response->{payload}->{authtoken}, + -expires => $login_cookie_expires + ); + } + return $self->generic_redirect( - $cgi->param('redirect_to') || $acct, - [ - # contains the actual auth token and should be sent only over https - $cgi->cookie( - -name => COOKIE_SES, - -path => '/', - -secure => 1, - -value => $response->{payload}->{authtoken}, - -expires => $login_cookie_expires - ), - # contains only a hint that we are logged in, and is used to - # trigger a redirect to https - $cgi->cookie( - -name => COOKIE_LOGGEDIN, - -path => '/', - -secure => 0, - -value => '1', - -expires => $login_cookie_expires - ) - ] + $cgi->param('redirect_to') || $acct, $cookies ); } @@ -453,13 +469,20 @@ sub load_logout { return $self->generic_redirect( $redirect_to || $self->ctx->{home_page}, [ - # clear value of and expire both of these login-related cookies + # clear value of and expire all of these login-related cookies $self->cgi->cookie( -name => COOKIE_SES, -path => '/', -value => '', -expires => '-1h' ), + # always try to delete this, even though it may not be enabled + $self->cgi->cookie( + -name => COOKIE_SHARED_SES, + -path => '/', + -value => '', + -expires => '-1h' + ), $self->cgi->cookie( -name => COOKIE_LOGGEDIN, -path => '/', -- 2.11.0