There is a possible scenario to get a redirect loop when triggering drupal_goto('user/login') in ldap_authentication.inc on auth fail. This is because $_GET['destination'] overrides the path set in drupal_goto($path), if that destination is not available to unauthorized users it will redirect back and forth. Firefox handled it well but Safari och Chrome just got TOO MANY REDIRECTS.
1. Front is not available to unauhtorized users.
2. User goes to / it will redirect to user/login/sso?destination={Front}
3. Auth fails and should redirect to user/login but drupal_goto overrides and redirects to Front
4. Front not available, redirect to user/login/sso?destination={Front}
5. continue until browser throws error
My solution is probably not the best but it works.
In ldap_authentication.inc unset the destination get parameter before drupal_goto('user/login') located in three places in sso method.
function _ldap_authentication_user_login_sso() {
...
unset($_GET['destination']);
drupal_goto('user/login');
...
unset($_GET['destination']);
drupal_goto('user/login');
...
unset($_GET['destination']);
drupal_goto('user/login');
}
Comment | File | Size | Author |
---|---|---|---|
#2 | ldap-sso-infinite-redirect-1415270-2.patch | 1.63 KB | shawn_smiley |
Comments
Comment #0.0
emilkarl CreditAttribution: emilkarl commentedUpdated front text in description
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedThis is something to keep an eye out for, but the current ldap_sso is quite different from when this patch was written.
Comment #2
shawn_smiley CreditAttribution: shawn_smiley commentedRe-opening this issue.
We ran into this infinite redirect issue during our Active Directory integration. I've attached a patch which resolved the issue for us.
Basically the problem appears to be that the ldap_sso module is verifying and loading the Drupal user account, but it never calls the routines to set the session cookies indicating that the user was logged in. Thus we would end up in a redirect loop where the user would be successfully authenticated and then redirected back to their original page, but the original page wouldn't be able to find an authentication token in the session for the user and redirect them back to the SSO page.
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedThere's been an endless loop of patches related to looping, redirecting, and excluded paths for ldap sso. We need a handful of people using ldap sso in a few different scenarios to isolate the issues and test patches. And someone to wrap up the simpletest coverage.
This patch looks good from what I can see.
Comment #4
swentel CreditAttribution: swentel commentedI can confirm this patches fixes the redirects and also makes sure the roles are applied to the users. Patch needs reroll though.
Comment #5
johnbarclay CreditAttribution: johnbarclay commentedI can commit #2 this by hand without a reroll also. Will commit next chance I get.
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedI committed #2 along with some more work on the ldap sso simpletests. See http://drupalcode.org/project/ldap.git/commitdiff/f53eaa120edb3b80aeb5de...
I needed to have a wrapper around the $_SESSION and $_SERVER variables for mock testing. I've implemented it but may need to do so for $_COOKIE at some point, but hopefully the drupal simpletest cookie helpers will do the trick.
Thanks for the fix. I suspect it may also fix #1956224: LDAP SSO: with AD, mod_auth_sspi, not seemless authentication gives success but does not logon user
Please test.
Comment #7
arh1 CreditAttribution: arh1 commentedWe're experiencing this, too.
The latest 2.x-dev release (April 24) seems to resolve it. Thanks for your work on this, shawn_smiley and johnbarclay.
Comment #8
solquimpo CreditAttribution: solquimpo commentedI can also confirm that 7.x-2.x-dev fixes the problem.
Comment #9
johnbarclay CreditAttribution: johnbarclay commentedThanks. Appreciate the followups. I'm closing this.
Comment #11
geerlingguy CreditAttribution: geerlingguy commentedSee related: #2075387: LDAP SSO: Prevent infinite redirect loop during SSO when no destination is set.
Comment #11.0
geerlingguy CreditAttribution: geerlingguy commentedUpdated spelling