Hi all,
After I have upgraded RoundCube from 0.5 to 0.5.1 my customers cannot login anymore from an external loginpage, whereas previously it could...
The HTML code of the relevant loginpage:
<form name="form" method="post" action="http://server1.abcdomein.nl/roundcube/index.php">
<input type="hidden" name="_token" value="56b4e11557372680a6ede1c9ec47ceea" />
<input type="hidden" name="_task" value="login" />
<input type="hidden" name="_action" value="login" />
<input type="hidden" name="_timezone" id="rcmlogintz" value="_default_" />
<input type="hidden" name="_url" id="rcmloginurl" />
E-mailadres:<br />
<input style="width:100px;" name="_user" id="rcmloginuser" autocomplete="off" type="text" /><br />
Wachtwoord:<br />
<input style="width:100px;" name="_pass" id="rcmloginpwd" autocomplete="off" type="password" />
<img src="<?php echo "$abc";?>/img/_spacer.gif" height="20" width="60" alt="0" />
<input type="image" src="<?php echo "$abc";?>/img/button_login.gif" name="Submit" />
</form>
Also, customers getting an error massage: "Invalid request! No data was saved".
How can I solve this problem?
See the following roundcube mailing lists thread:
RoundCube Mailing Lists (http://lists.roundcube.net/mail-archive/dev/2011-02/0000055.html)
Quote from: rosali;33426See the following roundcube mailing lists thread:
RoundCube Mailing Lists (http://lists.roundcube.net/mail-archive/dev/2011-02/0000055.html)
Thanks for your reply!
In the Mailing Lists it says:
Subject: Re: [RCD] custom login form vs. CSRF-protection in RC 0.5.1
From: Roland Liebl <[email protected]>
Reply-to: [email protected]
Date: Sun, 13 Feb 2011 09:06:28 +0100
To: Philip Iezzi <[email protected]>
Cc: RoundCube Dev <[email protected]>
On Sat, 12 Feb 2011 23:38:33 +0100, Philip Iezzi wrote:
> Hi
>
> You were introducing (better) CSRF protection in RC 0.5.1. In RC 0.5
> we were able to provide our own custom login forms (on a different
> domain) for Roundcube. In 0.5.1 those forms no longer work, probably
> due to the missing "_token" POST request param. We're getting
> redirected to the login form right after submitting the login
> credentials.
>
> We provide both "_user" and "_pass" input fields but are not able to
> provide the hidden "_token" field as this token gets generated by RC.
> Example login form that works perfectly under RC 0.5:
> https://my.onlime.ch/index/webmail
>
> Is there any workaround for this in RC 0.5.1? I couldn't find any
> hints about custom login forms in your Wiki.
You could use a plugin (startup hook):
function startup($arg)
{
// in this example outside login form must submit 'ajax=1' to
detect
// a login attempt
if(!empty($_POST['ajax']) && !empty($_POST['_user']) &&
!empty($_POST['_pass'])){
// perhaps some additional checks f.e. HTTP Referer ...
$_POST['_token'] = $_SESSION['request_tokens']['login'];
}
return $args;
}
>
> Thanks!
> Regards, Philip
> _______________________________________________
> List info: http://lists.roundcube.net/dev/
> BT/8d1870bd
Where do I have to put the Plugin (startup hook) in?
Hi,
Thanks for your reply.
I have solve this problem by adding: $args['valid'] = true; to row 39 of "plugins/http_authentication/http_authentication.php".
And also updated $rcmail_config['plugins'] = array('password', 'http_authentication'); to "config/main.inc.php".
Is this a correct and safe method?
You have disabled CSFR protection for the login this way. It is as safe as it was prior Roundcube 0.5.1. You could install my logout_redirect plugin and adjust your external login form as show in the ajax_login folder. The plugin has a referer check. So CSFR protection is only bypassed if the origin of the login request is legit.
They found a solution?
I'm going through the same problem.
Any idea?
My code:
<form method="POST" name="form" action="../wm/index.php?_task=login" target="_blank">
<p><font size="1" face="Verdana"><font color="#666666">
Usuário:</font> <input type="text" name="_user" size="20">
<font color="#666666">Senha:</font>
<input type="password" name="_pass" size="20">
<input type="submit" value="Entrar" style="font-family: Verdana; font-size: 8pt; color: #666666; border: 1px solid #666666; padding: 0"></font></p>
<input type="hidden" name="_action" value="login">
<input type="hidden" name="_task" value="login">
<input type="hidden" name="_timezone" value="_default_">
<input type="hidden" name="_url" value="">
<input type="hidden" name="_token" value="35aa6fe759b0617e9895681e0353ccdf">
</form>
user the http_authentication plugin, and use this code, it worked for me.
<form method="POST" name="form" action="../wm/index.php" target="_blank">
<p><font size="1" face="Verdana"><font color="#666666">
Usuário:</font> <input type="text" name="_user" size="20">
<font color="#666666">Senha:</font>
<input type="password" name="_pass" size="20">
<input type="submit" value="Entrar" style="font-family: Verdana; font-size: 8pt; color: #666666; border: 1px solid #666666; padding: 0"></font></p>
<input type="hidden" name="_action" value="login">
<input type="hidden" name="_task" value="login">
<input type="hidden" name="_timezone" value="_default_">
<input type="hidden" name="_url" value="">
<input type="hidden" name="_token" value="">
</form>
How do I use http_authentication?
I have to install something or change it?
its a plugin, its in the plugin folder when you download roundcube, just updated $rcmail_config['plugins'] = array('http_authentication'); in "config/main.inc.php".
I finally made that. Check it out in my gist. https://gist.github.com/TeeBSD/8610622
Just make a patch.
PS: I need a job.