Autologin Not Working after Upgrade to 0.5.3 - "Invalid request! No data was saved."

[ckoeber]

Hello,

I used to have automatic login working in prior versions of Roundcube but after upgrading to 0.5.3 I cannot get Automatic Logins to work. I use a CMS that uses the following code to log people into the RoundCube instance:

Code: [Select]

<form action=&quot;[[url]]&quot; method=&quot;post&quot; name=&quot;form&quot;>
  <input type=&quot;text&quot; value=&quot;[[username]]&quot; name=&quot;_user&quot; id=&quot;rcmloginuser&quot; onfocus=&quot;alreadyFocused=true;&quot; />
  <input type=&quot;password&quot; name=&quot;_pass&quot; id=&quot;rcmloginpwd&quot; onfocus=&quot;alreadyFocused=true;&quot; value=&quot;[[password]]&quot; />
  <input type=&quot;hidden&quot; name=&quot;_action&quot; value=&quot;login&quot; />
  <input type=&quot;hidden&quot; name=&quot;_task&quot; value=&quot;mail&quot; />
  <input type=&quot;hidden&quot; name=&quot;_timezone&quot; id=&quot;rcmlogintz&quot; value=&quot;_default_&quot; />
  <input type=&quot;hidden&quot; name=&quot;_url&quot; id=&quot;rcmloginurl&quot; value=&quot;&quot; />
  <input type=&quot;submit&quot; value=&quot;Login&quot; />
</form>


Where [[URL]] points to the web rool url of the roundcube instance.

Now, before I didn't need any plugins to have the above code post and just work. Now, i tried the autologin plug, which I am poasting the code below, and that isn't working either:

Code: [Select]





/**
 * This plugin performs an automatic login if accessed
 * with post Data from other Site an Portal or CMS
 * Based on sample autologon PlugIn
 *
 * @version 0.2
 * @author Eric Appelt (lacri)
 *
 * show into README to install and config
 *
 * changes
 * 0.2 make a little bit secure with base64_encode strrev
 * and a key thats replace after submitting encoded pass data
 *
 */

class autologin extends rcube_plugin
{

  function init()
  {
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));
  }

  function startup($args)
  {
    $rcmail = rcmail::get_instance();

    $autologin = get_input_value('_autologin', RCUBE_INPUT_POST);

    // change action to login
    // if ($args['task'] == 'mail' && empty($args['action']) && empty($_SESSION['user_id']) && !empty($autologin)) {
    // $args['action'] = 'login';

    if ($args['task'] == 'login' && empty($args['action']) && empty($_SESSION['user_id']) && !empty($autologin)) {
      $args['action'] = 'login';


      // decode pass, revert and replace key
                  $_POST['_pass'] = str_replace('MyKeyHere','',base64_decode(strrev(get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'))));

      // set initial cookie without this cookie login is not possible
      $_COOKIE['roundcube_sessid'] = session_id();
    }
    return $args;
  }

  function authenticate($args)
  {
    $autologin = get_input_value('_autologin', RCUBE_INPUT_POST);

    if (!empty($autologin)) {
      $args['user'] = get_input_value('_user', RCUBE_INPUT_POST);
      $args['pass'] = get_input_value('_pass', RCUBE_INPUT_POST);
      $args['host'] = get_input_value('_host', RCUBE_INPUT_POST);
    }

   return $args;
  }
}


What else do I need to do to get automatic logins to work again?

Thanks.

Regards,
Christopher Koeber

[SKaero]

In the authenticate function you need to add the following lines:

$args['cookiecheck'] = false;
$args['valid'] = true;

[ckoeber]

[SKaero]

I'm not sure what some of the code in your autologin.php does, try this:

<?php
class autologon extends rcube_plugin
{
  public $task = 'login';

  function init()
  {
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));
  }

  function startup($args)
  {
    $rcmail = rcmail::get_instance();

    // change action to login
    if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']))
      $args['action'] = 'login';

    return $args;
  }

  function authenticate($args)
  {
    if (!empty($_GET['_autologin'])) {
      $args['user'] = $_POST['_user'];
      $args['pass'] = $_POST['_pass'];
      $args['host'] = $_POST['_host'];
      $args['cookiecheck'] = false;
      $args['valid'] = true;
    }
  
    return $args;
  }

}

[whiteatom]

I'm having the same issues. skaero, the autologin.php code is not his, it's from the Autologin plugin - PHP-Lexikon. The extra code in the plugin is decoding the base-64 encoded password sent form the form on his CMS. The purpose of the code is to by-pass the RoundCube login screen by sending the host, username and b64 encoded password to this plugin that should decode, and pass on to the login script, but like ckoeber, I cannot get it to work.

[SKaero]

While I couldn't say for sure without testing the whole system you should be able to add base64_decode function around the password like:
$args['pass'] = base64_decode($_POST['_pass']);
Or if it needs to be like the code above:
$args['pass'] = base64_decode(strrev($_POST['_pass']));

[bakhtiyor]

Hi everybody.

I am a newbie in roundcube but it is really greate free webmail i have ever seen. I also need urgently that autologin functionality mentioned by ckoeber. I am using the 0.5.3 version of roundcube, I have tried autologon and autologin plugins but without any success.

Have you ever tried this functionality in 0.5.3 version?

Thnks alot

[bakhtiyor]

Hi again.

I think I have found the right script for autologin here, and that's why wanted to share it with you also. I had tested it several times and seems that it is working. What do you think about it?

best,
Bakhtiyor

Hi everybody.

I am a newbie in roundcube but it is really greate free webmail i have ever seen. I also need urgently that autologin functionality mentioned by ckoeber. I am using the 0.5.3 version of roundcube, I have tried autologon and autologin plugins but without any success.

Have you ever tried this functionality in 0.5.3 version?

Thnks alot

[rosali]

The script looks good to me. The advantage of this class is, that CSFR prevention and cookie check needs not to be disabled. So, this is more secure than all other methods.