Test case:
$SITEHTML/foo/ contains a .htaccess file containing:
RewriteEngine On
RewriteBase /foo/
RewriteRule ^([_0-9a-zA-z-)+/)?(bar.*) $2 [L]
$SITEHTML/bar/ contains a .htaccess with
CosignProtected On
AuthType Cosign
Require valid-user
A request for http://SITE/foo/bar/test.php which requires a redirect
to the cosign server will return the user to http://SITE/bar/test.php
This is because the set_cookie_and_redirect() function pulls the unparsed_uri field from the structure of the current request (that is, the one that invoked cosign), rather than from the request that the user initiated. Whilst this problem could be fixed by careful configuration by the site administrator, a fix is also possible in cosign itself - by extracting the URI from the first request submitted by the user, rather than from the internal-redirect which triggered the authentication.
A lightly tested patch which implements this is attached for comment. Cheers, Simon.
cosign-redirect.patch
Description: Binary data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Cosign-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/cosign-discuss
