Announcement

Collapse
No announcement yet.

How to properly verify user authentication by cookie ?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    How to properly verify user authentication by cookie ?

    I tried to make a simple login check but I have inconsistent results when doing this...

    Code:
    $authUsername = $_COOKIE['auth-username'];
$authPassword = $_COOKIE['auth-token'];
$authObject = new \Espo\Core\Utils\Auth($this->getContainer());
$isAuthenticated = $authObject->login($authUsername, $authPassword);
    I get $isAuthenticated = null for some reason

    I would really love to find a core function that retturns the login status as a boolean...
    Last edited by tothewine; 07-11-2020, 06:29 PM.
    Tags: None
  • #2
    It seems in my case that the login is working for the normal web application but the entrypoint has the 'system' user logged in.

    Comment

    • #3
      yuri could you provide any insight on this entrypoint problem? current user is set to system even tough it is logged into espo.( $authRequired = false so that I can show a custom error to the user). I load the entrypoint in a iframe on another domain.

      Am I checking authentication the wrong way? In that case could you tell me how to do it properly?

      idk maybe the webapp is doing something different for authentication after last updates... i see there is a token-secret cookie in the php code of login but it is not available to my entrypoint. maybe it's a cors problem, but now I found that another entrypoint that is embedded directly in the espo page has this problem too.
      Last edited by tothewine; 07-13-2020, 10:55 AM.

      Comment

      • #4
        I recommend debugging. I would need to look into the code to refresh in memory how it's working. BTW for 6.0 I have refactored the auth logic a bit.
        • Likes 1

        Comment

      • #5
        By the way I just realized the behaviour of this problem when authRequired is true is a basic authentication popup, which is something I have witnessed seemingly at random since espo 5.4 in entrypoints embedded using authenticated iframes.

        I tried to compare my avatar entrypoint to the system one but avatar entrypoint accepts the request, while mine doesn't.

        I inspected the code and found out that $notStrictAuth = true for the avatar while it is not defined in my custom entrypoint class (presumably is false).

        Could you explain to me what does strict auth mean exactly?

        Update: I tried setting it to true, but I continue to get unauthorized error

        Code:
        GET https://example.com/crm/?entryPoint=rcProPic&uname=admin HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: auth-token-secret=21da1de519164c1241c191c79a119011; auth-username=admin; auth-token=f13a1b151c12191111531714811918; PHPSESSID=31615161e1d1b17181e101b1e1f18111
Upgrade-Insecure-Requests: 1


HTTP/1.1 302 Found
*cut* [HR][/HR]GET https://example.com/crm/?entryPoint=rcProPic&uname=admin HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/
DNT: 1
Connection: keep-alive
Cookie: auth-username=admin; auth-token=f13a1b151c12191111531714811918; PHPSESSID=31615161e1d1b17181e101b1e1f18111
Cache-Control: max-age=0


HTTP/1.1 401 Unauthorized
Date: Thu, 23 Jul 2020 11:29:11 GMT
Server: Apache
Www-Authenticate: Basic realm=""
Access-Control-Allow-Methods: POST, GET, PUT, PATCH, DELETE
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8 [HR][/HR]
        The problem here is that the first request is done directly by pasting the link in the address bar while the second is done within an iframe embedded on another domain. In the second request the auth-token-secret cookie is never sent by the browser. Am I doing something wrong ?



        And is the auth-token-secret cookie relly needed for auth? Is it secure if I check the other cookies manually ?
        Last edited by tothewine; 07-23-2020, 11:44 AM.

        Comment

        • #6
          I figure the problem is not due to HTTPONLY flag being set on auth-token-secret, but rather the SameSite: Lax flag that prevents the cookie from being sent except in top-level navigation.
          I believe putting an entrypoint in a iframe tag is a pretty common use case. Is there a way to allow the cookie only for one domain? I think I can search and destroy SameSite:Lax inthe source code but then it will be creating a potential security problem... right? Do you have any idea on how to properly solve the problem of iframe authentication?

          Comment

          Previous template Next
          Working...
          X