Lazy sessions and authorization (Drupal)

Laas Toom Laas.Toom at ut.ee
Mon Oct 28 06:37:29 EDT 2013


On 28.10.2013, at 12:26, Kristof Bajnok <bajnokk at niif.hu<mailto:bajnokk at niif.hu>> wrote:

On 2013-10-25 16:18, Cantor, Scott wrote:
I will try that too, but the documentation also requires me to enable
ShibUseHeaders which made me a bit wary of their advice and hoped
somebody here has some experience.

If their code is reading headers only (which would be a bad thing), then
that advice is certainly necessary.

PHP merges headers and environment into a single array ($_SERVER) and I
don't know any non-deprecated way to access the environment only.

The advice is there because so far we (the Drupal Shib module
developers) haven't implemented a more robust algorithm for accessing
the Shib SP attributes that works for both Windows and Unix and with and
without internal redirects. And because role assignment (thus
authorisation) is based on $_SERVER and re-evaluated during every page
access, mod_rewrite's renamed variables resulted in weird errors.

Anyone who can sort out mod_rewrite from their Drupal configuration, may
safely disable ShibUseHeaders. Most of the users can not.

I found a few solutions to REDIRECT_ prefix problem and chose to use this one at the end of the .htaccess file:

RewriteCond %{ENV:REDIRECT_UID} (.+)
RewriteRule .* - [E=UID:%1]
RewriteCond %{ENV:REDIRECT_mail} (.+)
RewriteRule .* - [E=mail:%1]
RewriteCond %{ENV:REDIRECT_Shib-Identity-Provider} (.+)
RewriteRule .* - [E=Shib-Identity-Provider:%1]

Of course this is still a workaround as it preserves the prefixed values too, but it does work and I could leave off ShibUseHeaders.


Best,
Laas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20131028/c1734da2/attachment-0001.html 


More information about the users mailing list