From: Michael M Slusarz Date: Tue, 16 Nov 2010 07:14:18 +0000 (-0700) Subject: Bug #9311: Better fix for transparent auth/maintaining guest sessions X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=33972b5b500642c5fc7645ad13e5f51a673e70ed;p=horde.git Bug #9311: Better fix for transparent auth/maintaining guest sessions --- diff --git a/framework/Core/lib/Horde/Core/Auth/Application.php b/framework/Core/lib/Horde/Core/Auth/Application.php index 0607ac798..12b43604a 100644 --- a/framework/Core/lib/Horde/Core/Auth/Application.php +++ b/framework/Core/lib/Horde/Core/Auth/Application.php @@ -292,16 +292,14 @@ class Horde_Core_Auth_Application extends Horde_Auth_Base if ($this->_base) { $result = $this->_base->transparent(); } elseif ($this->hasCapability('transparent')) { - /* Only clean session if we are trying to do transparent - * authentication to an application that has a transparent - * capability. This prevents session fixation issues when using - * transparent authentication to do initial authentication to - * Horde, while not destroying session information for guest - * users. See Bug #9311. */ - if (!$is_auth) { + if ($result = $registry->callAppMethod($this->_app, $this->_apiMethods['transparent'], array('args' => array($this), 'noperms' => true)) && + $is_auth) { + /* Only clean session if we were successfully authenticated + * into Horde via transparent auth. Have to wait until after + * we check transparent auth or else we would blow away guest + * sessions. See Bug #9311. */ $registry->getCleanSession(); } - $result = $registry->callAppMethod($this->_app, $this->_apiMethods['transparent'], array('args' => array($this), 'noperms' => true)); } else { /* If this application contains neither transparent nor * authenticate capabilities, it does not require any