MDL-9399 auth/ldap: NTLM SSO - Resolve Moodle cookies issue, tighten config.php requi...

Use $nomoodlecookie global to avoid session troubles. Also

 * Ensure we load the appropriate config.php, even if we are executing
   under a strange environment (ie: with a user's credentials!)

 * Test we have a spacer gif to open before we open it

diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php
index e8f42b396bdc1bb6c2e78943cc5e52a5b60d42af..f14f9e3988290f19a8a13333f343d2575abea6da 100644 (file)
--- a/auth/ldap/auth.php
+++ b/auth/ldap/auth.php
@@ -1765,6 +1765,7 @@ class auth_plugin_ldap extends auth_plugin_base {
      *
      * NOTE that this code will execute under the OS user credentials, 
      * so we MUST avoid dealing with files -- such as session files.
+     * (The caller should set $nomoodlecookie before including config.php)
      *
      */
     function ntlmsso_magic($sesskey) {

diff --git a/auth/ldap/ntlmsso_attempt.php b/auth/ldap/ntlmsso_attempt.php
index 1c05eb73b11a2c3415fcfa629890807853d7a86c..4f400b115191ea0bdffbf7a70f930ce17daf8a5a 100644 (file)
--- a/auth/ldap/ntlmsso_attempt.php
+++ b/auth/ldap/ntlmsso_attempt.php
@@ -1,6 +1,6 @@
 <?php
 
-require_once("../../config.php");
+require_once(dirname(dirname(dirname(__FILE__)))."/config.php");
 
 //HTTPS is potentially required in this page
 httpsrequired();

diff --git a/auth/ldap/ntlmsso_finish.php b/auth/ldap/ntlmsso_finish.php
index e029c350e1f3ea2cbd89454874845301278b7f24..effaeb1f376884a174bcf213a06217a7224914d2 100644 (file)
--- a/auth/ldap/ntlmsso_finish.php
+++ b/auth/ldap/ntlmsso_finish.php
@@ -1,6 +1,6 @@
 <?php
 
-require_once("../../config.php");
+require_once(dirname(dirname(dirname(__FILE__)))."/config.php");
 
 //HTTPS is potentially required in this page
 httpsrequired();

diff --git a/auth/ldap/ntlmsso_magic.php b/auth/ldap/ntlmsso_magic.php
index 624b6d8ce621ef4c19329a33fd82fa5463d3c302..79077ef2b3f449da8ea3481c4b8b080c04886ea2 100644 (file)
--- a/auth/ldap/ntlmsso_magic.php
+++ b/auth/ldap/ntlmsso_magic.php
@@ -1,8 +1,12 @@
 <?php
 
-// Disable session handling here?
-require_once("../../config.php");
-session_write_close();
+// Don't let lib/setup.php set any cookies
+// as we will be executing under the OS security
+// context of the user we are trying to login, rather than
+// of the webserver.
+$nomoodlecookie=true;
+
+require_once(dirname(dirname(dirname(__FILE__)))."/config.php");
 
 //HTTPS is potentially required in this page
 httpsrequired();
@@ -18,10 +22,12 @@ if (empty($authplugin->config->ntlmsso_enabled)) {
 }
 
 $sesskey = required_param('sesskey', PARAM_RAW);
-if ($authplugin->ntlmsso_magic($sesskey)) {
+$file = $CFG->dirroot . '/pix/spacer.gif';
+
+if ($authplugin->ntlmsso_magic($sesskey) 
+    && file_exists($file)) {
+
     // Serve GIF
-    $file = $CFG->dirroot . '/pix/spacer.gif';
-    
     // Type
     header('Content-Type: image/gif');
     header('Content-Length: '.filesize($file));