From 33972b5b500642c5fc7645ad13e5f51a673e70ed Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Tue, 16 Nov 2010 00:14:18 -0700 Subject: [PATCH] Bug #9311: Better fix for transparent auth/maintaining guest sessions --- framework/Core/lib/Horde/Core/Auth/Application.php | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/framework/Core/lib/Horde/Core/Auth/Application.php b/framework/Core/lib/Horde/Core/Auth/Application.php index 0607ac798..12b43604a 100644 --- a/framework/Core/lib/Horde/Core/Auth/Application.php +++ b/framework/Core/lib/Horde/Core/Auth/Application.php @@ -292,16 +292,14 @@ class Horde_Core_Auth_Application extends Horde_Auth_Base if ($this->_base) { $result = $this->_base->transparent(); } elseif ($this->hasCapability('transparent')) { - /* Only clean session if we are trying to do transparent - * authentication to an application that has a transparent - * capability. This prevents session fixation issues when using - * transparent authentication to do initial authentication to - * Horde, while not destroying session information for guest - * users. See Bug #9311. */ - if (!$is_auth) { + if ($result = $registry->callAppMethod($this->_app, $this->_apiMethods['transparent'], array('args' => array($this), 'noperms' => true)) && + $is_auth) { + /* Only clean session if we were successfully authenticated + * into Horde via transparent auth. Have to wait until after + * we check transparent auth or else we would blow away guest + * sessions. See Bug #9311. */ $registry->getCleanSession(); } - $result = $registry->callAppMethod($this->_app, $this->_apiMethods['transparent'], array('args' => array($this), 'noperms' => true)); } else { /* If this application contains neither transparent nor * authenticate capabilities, it does not require any -- 2.11.0