Skip to content

Initialize lastCheck when creating session token #28468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
PVince81 merged 1 commit into from
Jul 24, 2017
Merged

Initialize lastCheck when creating session token #28468

PVince81 merged 1 commit into from
Jul 24, 2017

Conversation

@fredreichbier
Copy link
Contributor

@fredreichbier fredreichbier commented Jul 22, 2017
edited
Loading

Hello there!

Description

With this change applied, DefaultTokenProvider initially sets the lastCheck timestamp to the current time when generating new tokens.

Related Issue

#28467

Motivation and Context

On ownCloud master, each user login via the user_ldap app sends two bind requests to the LDAP backend. This breaks 2FA (because one-time passwords are reused). See #28467 and #26065 for more details.

The second LDAP bind request is triggered by an initial user session validation right after a successful login. This checks the user password (i.e. sends a bind request). If we set lastCheck of new tokens to the current time, this initial check is skipped. As a result, a user login only sends one LDAP Bind Request, which (1) improves performance and (2) makes it possible to implement 2FA in the LDAP backend.

This change fixes #28467, but I don't know enough about the ownCloud internals to evaluate whether this change is sensible. Does setting the lastCheck time like this have any security implications?

How Has This Been Tested?

Manually checked that a user login only sends one LDAP bind request.

Please note that in order to test this on the current master, #28450 needs to be applied first! Otherwise, login via user_ldap fails generally.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Thanks!

@fredreichbier fredreichbier mentioned this pull request Jul 22, 2017
Closed
PVince81
PVince81 approved these changes Jul 24, 2017
View reviewed changes
Copy link
Contributor

@PVince81 PVince81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@PVince81
Copy link
Contributor

PVince81 commented Jul 24, 2017

@fredreichbier please backport to stable10 (submit a PR to that branch with the same changes)

@PVince81 PVince81 merged commit eb6954b into owncloud:master Jul 24, 2017
@PVince81 PVince81 added this to the development milestone Jul 24, 2017
@fredreichbier fredreichbier mentioned this pull request Jul 24, 2017
Merged
@lock
Copy link

lock bot commented Aug 3, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@PVince81 PVince81 PVince81 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status/STALE

Projects

None yet

Milestone

10.0.3

Development

Successfully merging this pull request may close these issues.

Login via user_ldap sends two LDAP bind requests instead of one

3 participants

@fredreichbier @PVince81 @ownclouders