Lazy sessions and authorization (Drupal)
Cantor, Scott
cantor.2 at osu.edu
Mon Oct 28 09:58:47 EDT 2013
On 10/28/13, 4:21 AM, "Laas Toom" <Laas.Toom at ut.ee> wrote:
>
>One question still: am I the only one that thinks that it could come in
>handy if there is a way to allow both unauth users and properly
>authorized users and the application could rest assured that if session
>is present, it is properly authorized?
I have yet to hear you say that you tried what I suggested (twice) and
that it didn't work.
>Also, in my view, the "ShibRequestSetting requireSession² behaves
>somewhat counter-intuitive:
>
>1) when set to 1, a session is initiated when not present, and all
>authorization is applied
>2) when set to 0, a session is still ³required², and authorized, only not
>initiated
That's not the case. The authorization code is not written to apriori
require a session. I know because I just looked. So if your authorization
rules actually do require a session, I think that's because you wrote them
to. So I reiterate that as far as I can tell, combining rules with "OR NOT
valid-user" probably should work.
>Of course, this can not be changed now, for backwards compatibility, but
>perhaps a new setting, say ŒignoreUnauthzSession¹, could be introduced
>that toggles this behavior?
I'm not considering anything until I have actual evidence that it doesn't
work already.
>Are there any downsides to this? Could it be considered a featurea
>request?
There's a significant downside: confusion, complexity, changing sensitive
code.
-- Scott
More information about the users
mailing list