Customizing user authentication (Pubcookie)

From refbase

Pubcookie

Currently refbase supports only one method of user authentication – email and password which requires users to individually manually, register. For those who already have a Pubcookie authentication infrastructure in place at their organization, this document has some suggestions regarding how to make it work on refbase.

(Note: For more information about the Pubcookie project, including source, installation, and howto's, see: http://www.pubcookie.org/ )

After reviewing our requirements, the way we chose to implement Pubcookie with Refbase (v.9.0) with the least number of changes was to make pubcookie work on top of the native refbase authentication.

In pubcookie, when users log in, they provide username and password (or similar credentials) to the pubcookie server. If the authentication is a success, a good deal of cookie generating happens, and at the end the final session cookie is generated ($_SERVER['REMOTE_USER']). In most cases, this cookie contains username of the authenticated user. By design in Pubcookie, the password can not be accessed.

Modifying source code

In refbase, the user provides an email and password to login. To make that more compatible with pubcookie, the password can be set to be some static password for all users, or can be generated based on the username. Providing a static password is secure because the user would not be able to access any files before they authenticate with the pubcookie using their credentials, and the static password would be used after the user is authenticated with pubcookie, to pass the refbase authentication.

Depending on your setup, the email can be generated based on the username or other credentials returned by pubcookie. For example, at one university, the username is appended with the string: "@university.of.yadda.edu" to construct a correct email address.

We performed the following steps in order to integrate pubcookie in to our Refbase installation:

      • An .htaccess file has to be added into the refbase directory, this way all files and folders in this directory would be protected by pubcookie, and will not be accessed unless user logs in. In the .htaccess file all users who will be granted access to refbase have to be listed. .htaccess file setup:

AuthType UWNetID AuthName "Application Name"

     require valid-user user_name1 user_name2 user_name3 etc.


      • With pubcookie, login server presents a login page allowing the user to enter necessary credentials to login. Therefore, the original refbase login form is not necessary anymore, which means the original index.php page is not necessary as well (since it doesn’t have anything useful besides the login form). To avoid confusion, rename index.php to index.php.stock.
      • user_login.php Will become a new index.php page. Here is where most changes will take place. “check_login” function has to be changed to reset $loginEmail and $loginPassword to values returned and generated after pubcookie authentication:

First set up the retrieval of pubcookie credentials in the beginning of the file: $settings['email'] = $_SERVER["REMOTE_USER"] . "@u.washington.edu"; $settings['pass'] = "uwnetid"; Then modify the “check_login” function: if(isset($settings['email'])){ $loginEmail = $settings['email']; $loginPassword = $settings['pass']; }

Also, the chunk of code that displays the login form can be commented out as well, since pubcookie provides its own login page. “user_login.php” is called whenever the session dies, and asks user to re-authenticate, with the new “check_login” function it would re-authenticate automatically, since pubcookie’s login cookie is alive for 8 hours. Since all users who can authenticate to pubcookie are valid users to access refbase, it might be useful to allow them to register some of the personal information for refbase user account at first-time login. To enable this, in the “check_login” function, the second if statement “if ($foundUser)” will register all necessary session variables if the user name was found in the refbase database, else it will display the login failed window. else { header("Location: user_details.php"); } This way the user is redirected to user_details.php, he/she will be able to “automatically” register. This will only happen the first time certain user accesses his/her refbase account. Also to enable this option, one more change has to be done in the initialize/ini.inc.php file, 3rd variable $addNewUsers changed to "everyone."

Note: This technique has been tested on refbase 0.9.0 and might need to be modified for other versions