When using intermediate 'authenticator': invalid request no data was saved

stalker150 · November 18, 2011, 09:38:58 AM

Quote from: rosali;37071Alternativeliy you could move ...

51 $args['cookiecheck'] = false;
52 $args['valid'] = true;

... to top of authenticate hook.

There's no way enabling the external form login without changing the authenticate hook? I have to get my Roundcubemail "update-secure" and as I can see in the new beta version the authenticate hook will be overwritten with the next update so the changes on the http_authentication.php in the plugin folder will be lost.

//EDIT: Wait ... I can just copy the http_authentication.php in a new plugin folder, rename it and it's safe I guess. We can drop this question.

Quote from: rosali;37086You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook: [...]

Quote from: rosali;37098The conclusion is wrong. Roundcube processes only forms and AJAX requests which contain a unique token which is generated by Roundcube.

Is it as safe as it where before ... without the http_authentication plugin enabled?
What about the CSRF-protection? Is that enabled after all?

//EDIT²: Okay just found out ... $args['valid'] = true; disables the CSRF-check so it's insecure I guess.

When using intermediate 'authenticator': invalid request no data was saved

stalker150