View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
08152Bug reportsAuthenticationpublic2014-02-19 14:13
Reporterpasglop Assigned Tomdekker  
PrioritynormalSeverityminor 
Status closedResolutionno change required 
Product Version2.00+ 
Target Version2.05 RC 
Summary08152: $_SERVER['REMOTE_USER'] is not set in UserIdentity.php
Description

My config.php is set with 'auth_webserver' => true.

The $_SERVER['REMOTE_USER'] and/or $_SERVER['HTTP_CAS_USER'] does not exist in the situation where we want to delegate authentication to a CAS server using mod_auth_cas.

These variables exist and contain the login to the call /limesurvey/admin/index.php but are directly unset with the call /index.php/admin at the "header" line.

How communicate the $_SERVER['REMOTE_USER'] and/or $_SERVER['HTTP_CAS_USER'] value known in /limesuvey/admin/index.php to the function "authenticate" in the page UserIdentity.php ?

Thanks a lot

Additional Information

I work around the problem by adding a cookie:

  • in admin/index.php :
    add(~l.37)
    setcookie('CASC', $_SERVER["HTTP_CAS_USER"],0,"/limesurvey/");
    before
    header( 'Location: ../index.php/admin' );

  • in application/core/Useridentity.php :
    comment (~l.72)
    elseif(Yii::app()->getConfig("auth_webserver") === true && (isset($SERVER["PHP...
    add (or replace by) :
    elseif(Yii::app()->getConfig("auth_webserver") === true)
    add in the chain of test :
    elseif (isset($_COOKIE["CASC"])) {
    $sUser=$_COOKIE["CASC"];
    }

This is not great ...

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)Build 130802
I will donate to the project if issue is resolvedNo
Browserall
Database type & versionMysql 164
Server OS (if known)Debian 7.1
Webserver software & version (if known)Apache/2.2.22 (Debian)
PHP VersionPHP Version 5.4.4-14+deb7u3

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2013-09-12 23:08

administrator   ~26205

Why would a header() call unset $_SERVER['REMOTE_USER'] ? I can't believe that happens.

pasglop

pasglop

2013-09-13 13:14

reporter   ~26217

Last edited: 2013-09-14 10:16

The problem is not the "header".

To use the CAS, I declare only the /admin folder in it.
All arborscence called in the directory set $_SERVER['REMOTE_USER']
This worked well with 1.92 for all this happening in this directory that is not the case with 2.0 we return to the root systematically

I do not even know where to intervene to solve the problem and use the mod_auth_cas truly possible.


Another solution without cookie :

In file /admin/index.php comment line with "header" and add:

session_start();
$_SESSION['CAS'] = $_SERVER['HTTP_CAS_USER'];
header( 'Location: ../indexCAS.php/admin' );

Create a file /indexCAS.php at the same place as /index.php
session_start();
isset($_SESSION['CAS']) ? $_SERVER['REMOTE_USER']=$_SESSION['CAS']:false;
include('index.php');

and in CAS config :
<Directory /var/www/limesurvey/admin/>
AuthType Cas
require valid-user
</Directory>
<Directory /var/www/limesurvey/indexCAS.php/>
AuthType Cas
require valid-user
</Directory>

This is not great either!

c_schmitz

c_schmitz

2013-09-18 16:37

administrator   ~26279

I think a solution for 2.0 is hard anyway. Menno, do you see for 2.05 a better way?

mdekker

mdekker

2013-09-19 09:37

reporter   ~26289

I think you should not use <directory>, but <location> as url rewriting rewrites all requests to /index.php the /admin/index.php is not really used. As far as I read the loction always uses the url and not the file path that might be never reached.

The second problem is the http_cas_user vs remote_user. I think the cas server needs to set the right http header. You should not try to solve that on the application end.

For 2.05 the last problem will be a lot easier: it can be solved in a plugin that is preserved during updates. We can also make the REMOTE_USER configurable so you can change it in the default web auth plugin.

mdekker

mdekker

2013-09-19 09:38

reporter   ~26290

The locations directive can not go into htaccess, only in server config...

mdekker

mdekker

2013-10-08 13:59

reporter   ~26622

Last commit maken the server variable configurable in the webserver authentication plugin. Default is now REMOTE_USER but you can set it to HTTP_CAS_USER if you like.

c_schmitz

c_schmitz

2014-01-18 16:39

administrator   ~27986

So, this is resolved now?

mdekker

mdekker

2014-02-19 14:13

reporter   ~28817

Probably fixed already and no feedback...

Related Changesets

LimeSurvey: 2.05 c1b6e16d

2013-10-08 09:40

mdekker


Details Diff
Changed feature: made server key configurable in AuthWebserver plugin, default is REMOTE_USER Affected Issues
08152
mod - application/core/plugins/Authwebserver/Authwebserver.php Diff File

Issue History

Date Modified Username Field Change
2013-09-12 14:43 pasglop New Issue
2013-09-12 23:08 c_schmitz Note Added: 26205
2013-09-12 23:08 c_schmitz Assigned To => c_schmitz
2013-09-12 23:08 c_schmitz Status new => feedback
2013-09-13 13:14 pasglop Note Added: 26217
2013-09-13 13:14 pasglop Status feedback => assigned
2013-09-13 13:46 pasglop Note Edited: 26217
2013-09-13 13:48 pasglop Note Edited: 26217
2013-09-13 14:12 pasglop Note Edited: 26217
2013-09-14 10:16 pasglop Note Edited: 26217
2013-09-14 10:16 pasglop Note Edited: 26217
2013-09-18 16:37 c_schmitz Assigned To c_schmitz => mdekker
2013-09-18 16:37 c_schmitz Note Added: 26279
2013-09-19 09:37 mdekker Note Added: 26289
2013-09-19 09:38 mdekker Note Added: 26290
2013-10-07 14:48 c_schmitz Target Version => 2.05 RC
2013-10-08 13:58 mdekker Changeset attached => LimeSurvey 2.05 c1b6e16d
2013-10-08 13:59 mdekker Note Added: 26622
2014-01-18 16:39 c_schmitz Note Added: 27986
2014-02-19 14:13 mdekker Note Added: 28817
2014-02-19 14:13 mdekker Status assigned => closed
2014-02-19 14:13 mdekker Resolution open => no change required