On 02/26/2012 03:38 PM, Rob Crittenden wrote:
John Dennis wrote:
This patch adds support for password based session login (see detailed
comments in patch)

Only the server side is implemented, someone will have to add password
based login to the UI, when they do they should update the unauthorized
messges to include the new method, those message occur in two places.

* in install/html/unauthorized.html
* in the function error_handler() in install/ui/ipa.js:442

Sending the login requires sending the username (not the principal) and
password as application/x-www-form-urlencoded parameters in a GET or
POST request. Note, I only tested GET, but POST should work. Attached is
a curl script I used to test (send_login_password).

There is one other minor issue not included in any previous patches nor
this one, the VERSION file should be updated to force the apache
configuration to be updated.

If one keeps running the script more and more cookies get set each time
(it seems to add a new session every other request). I ended up with:

<  HTTP/1.1 200 Success
<  Date: Sun, 26 Feb 2012 20:36:38 GMT
<  Server: Apache/2.2.21 (Fedora)
<  Set-Cookie: ipa_session=905b903b164cc8449a1619f610012ad0; httponly;
Path=/ipa; secure
<  Set-Cookie: ipa_session=296d1c815326806be5dc609593950787; httponly;
Path=/ipa; secure
<  Set-Cookie: ipa_session=0a3ddb3e43f093f54acac0568bf2c8af; httponly;
Path=/ipa; secure
<  Set-Cookie: ipa_session=df4b39d4fe659ebfc401ee154c32fd1d; httponly;
Path=/ipa; secure
<  Set-Cookie: ipa_session=10ce26f372355b7ed2d11f34dbce8edf; httponly;
Path=/ipa; secure
<  Content-Length: 0
<  Connection: close
<  Content-Type: text/plain; charset=UTF-8
* Closing connection #0

It also looks like some of the sessions only appear from time to time.
For example, the next request I did did not contain
905b903b164cc8449a1619f610012ad0 but the one after that did again.

I assume you're running the script I attached. The reason why you keep getting new sessions is because the script does not send the previous cookie back, from the server's perspective these all appear to be new login requests. Sessions are not tracked by user, they are tracked by session id.

FWIW, there is a curl option to resend the cookies from the response it saved last time, I did not enable that in the script, but you could try it if you wish.

I'm not sure about the every other request behavior, I'll look into that.

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to