Author Topic: [0.5.1] external login page (Read 8653 times)

pinotje · « **on:** February 22, 2011, 06:03:19 PM »

Hi all,

After I have upgraded RoundCube from 0.5 to 0.5.1 my customers cannot login anymore from an external loginpage, whereas previously it could...

The HTML code of the relevant loginpage:

Code: [Select]

<form name=&quot;form&quot; method=&quot;post&quot; action=&quot;http://server1.abcdomein.nl/roundcube/index.php&quot;>
<input type=&quot;hidden&quot; name=&quot;_token&quot; value=&quot;56b4e11557372680a6ede1c9ec47ceea&quot; />
<input type=&quot;hidden&quot; name=&quot;_task&quot; value=&quot;login&quot; />
<input type=&quot;hidden&quot; name=&quot;_action&quot; value=&quot;login&quot; />
<input type=&quot;hidden&quot; name=&quot;_timezone&quot; id=&quot;rcmlogintz&quot; value=&quot;_default_&quot; />
<input type=&quot;hidden&quot; name=&quot;_url&quot; id=&quot;rcmloginurl&quot; />
E-mailadres:<br />
<input style=&quot;width:100px;&quot; name=&quot;_user&quot; id=&quot;rcmloginuser&quot; autocomplete=&quot;off&quot; type=&quot;text&quot; /><br />
Wachtwoord:<br />
<input style=&quot;width:100px;&quot; name=&quot;_pass&quot; id=&quot;rcmloginpwd&quot; autocomplete=&quot;off&quot; type=&quot;password&quot; />
<img src=&quot;<?php echo &quot;$abc&quot;;?>/img/_spacer.gif&quot; height=&quot;20&quot; width=&quot;60&quot; alt=&quot;0&quot; />
<input type=&quot;image&quot; src=&quot;<?php echo &quot;$abc&quot;;?>/img/button_login.gif&quot; name=&quot;Submit&quot; />
</form>

Also, customers getting an error massage: "Invalid request! No data was saved".

How can I solve this problem?

rosali · « **Reply #1 on:** February 23, 2011, 04:39:15 AM »

See the following roundcube mailing lists thread:

RoundCube Mailing Lists

pinotje · « **Reply #2 on:** February 23, 2011, 12:15:53 PM »

Quote from: rosali;33426

See the following roundcube mailing lists thread:

RoundCube Mailing Lists

Thanks for your reply!

In the Mailing Lists it says:

Code: [Select]

Subject: 	Re: [RCD] custom login form vs. CSRF-protection in RC 0.5.1
From: 	Roland Liebl <roland@roland-liebl.de>
Reply-to: 	roland@roland-liebl.de
Date: 	Sun, 13 Feb 2011 09:06:28 +0100
To: 	Philip Iezzi <lists@iezzi.ch>
Cc: 	RoundCube Dev <dev@lists.roundcube.net>

 On Sat, 12 Feb 2011 23:38:33 +0100, Philip Iezzi wrote:
> Hi
>
> You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5
> we were able to provide our own custom login forms (on a different
> domain) for Roundcube. In 0.5.1 those forms no longer work, probably
> due to the missing &quot;_token&quot; POST request param. We're getting
> redirected to the login form right after submitting the login
> credentials.
>
> We provide both &quot;_user&quot; and &quot;_pass&quot; input fields but are not able to
> provide the hidden &quot;_token&quot; field as this token gets generated by RC.
> Example login form that works perfectly under RC 0.5:
> https://my.onlime.ch/index/webmail
>
> Is there any workaround for this in RC 0.5.1? I couldn't find any
> hints about custom login forms in your Wiki.

 You could use a plugin (startup hook):

    function startup($arg)
    {
      // in this example outside login form must submit 'ajax=1' to
  detect
      // a login attempt
      if(!empty($_POST['ajax']) && !empty($_POST['_user']) &&
  !empty($_POST['_pass'])){
        // perhaps some additional checks f.e. HTTP Referer ...
        $_POST['_token'] = $_SESSION['request_tokens']['login'];
      }
      return $args;
    }

>
> Thanks!
> Regards, Philip
> _______________________________________________
> List info: http://lists.roundcube.net/dev/
> BT/8d1870bd

Where do I have to put the Plugin (startup hook) in?

pinotje · « **Reply #3 on:** February 23, 2011, 08:38:56 PM »

Hi,

Thanks for your reply.

I have solve this problem by adding: $args['valid'] = true; to row 39 of "plugins/http_authentication/http_authentication.php".
And also updated $rcmail_config['plugins'] = array('password', 'http_authentication'); to "config/main.inc.php".

Is this a correct and safe method?

rosali · « **Reply #4 on:** February 23, 2011, 10:30:47 PM »

You have disabled CSFR protection for the login this way. It is as safe as it was prior Roundcube 0.5.1. You could install my logout_redirect plugin and adjust your external login form as show in the ajax_login folder. The plugin has a referer check. So CSFR protection is only bypassed if the origin of the login request is legit.

thiagogema · « **Reply #5 on:** June 05, 2011, 04:40:58 PM »

They found a solution?
I'm going through the same problem.
Any idea?

My code:

Code: [Select]

<form method=&quot;POST&quot; name=&quot;form&quot; action=&quot;../wm/index.php?_task=login&quot; target=&quot;_blank&quot;>
<p><font size=&quot;1&quot; face=&quot;Verdana&quot;><font color=&quot;#666666&quot;>
Usuário:</font> <input type=&quot;text&quot; name=&quot;_user&quot; size=&quot;20&quot;>
<font color=&quot;#666666&quot;>Senha:</font>
<input type=&quot;password&quot; name=&quot;_pass&quot; size=&quot;20&quot;>
<input type=&quot;submit&quot; value=&quot;Entrar&quot; style=&quot;font-family: Verdana; font-size: 8pt; color: #666666; border: 1px solid #666666; padding: 0&quot;></font></p>
<input type=&quot;hidden&quot; name=&quot;_action&quot; value=&quot;login&quot;>
<input type=&quot;hidden&quot; name=&quot;_task&quot; value=&quot;login&quot;>
<input type=&quot;hidden&quot; name=&quot;_timezone&quot; value=&quot;_default_&quot;>
<input type=&quot;hidden&quot; name=&quot;_url&quot; value=&quot;&quot;>
<input type=&quot;hidden&quot; name=&quot;_token&quot; value=&quot;35aa6fe759b0617e9895681e0353ccdf&quot;>
</form>

projectmyst · « **Reply #6 on:** June 06, 2011, 01:35:45 AM »

user the http_authentication plugin, and use this code, it worked for me.

Code: [Select]

<form method=&quot;POST&quot; name=&quot;form&quot; action=&quot;../wm/index.php&quot; target=&quot;_blank&quot;>
<p><font size=&quot;1&quot; face=&quot;Verdana&quot;><font color=&quot;#666666&quot;>
Usuário:</font> <input type=&quot;text&quot; name=&quot;_user&quot; size=&quot;20&quot;>
<font color=&quot;#666666&quot;>Senha:</font>
<input type=&quot;password&quot; name=&quot;_pass&quot; size=&quot;20&quot;>
<input type=&quot;submit&quot; value=&quot;Entrar&quot; style=&quot;font-family: Verdana; font-size: 8pt; color: #666666; border: 1px solid #666666; padding: 0&quot;></font></p>
<input type=&quot;hidden&quot; name=&quot;_action&quot; value=&quot;login&quot;>
<input type=&quot;hidden&quot; name=&quot;_task&quot; value=&quot;login&quot;>
<input type=&quot;hidden&quot; name=&quot;_timezone&quot; value=&quot;_default_&quot;>
<input type=&quot;hidden&quot; name=&quot;_url&quot; value=&quot;&quot;>
<input type=&quot;hidden&quot; name=&quot;_token&quot; value=&quot;&quot;>
</form>

thiagogema · « **Reply #7 on:** June 06, 2011, 05:07:07 PM »

How do I use http_authentication?
I have to install something or change it?

projectmyst · « **Reply #8 on:** June 07, 2011, 04:56:59 AM »

its a plugin, its in the plugin folder when you download roundcube, just updated $rcmail_config['plugins'] = array('http_authentication'); in "config/main.inc.php".

teebsd · « **Reply #9 on:** January 24, 2014, 09:06:13 PM »

I finally made that. Check it out in my gist. https://gist.github.com/TeeBSD/8610622

Just make a patch.

PS: I need a job.