Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:21297 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60157 invoked by uid 1010); 21 Dec 2005 06:04:14 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 60142 invoked from network); 21 Dec 2005 06:04:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Dec 2005 06:04:14 -0000 X-Host-Fingerprint: 66.220.1.142 li4-142.members.linode.com Linux 2.4/2.6 Received: from ([66.220.1.142:1602] helo=li4-142.members.linode.com) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 53/FB-14561-E50F8A34 for ; Wed, 21 Dec 2005 01:04:14 -0500 Received: from quark.foo.net (pcp09149068pcs.union01.nj.comcast.net [69.142.219.62]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by li4-142.members.linode.com (Postfix) with ESMTP id CCC6842C29 for ; Wed, 21 Dec 2005 01:04:08 -0500 (EST) Date: Wed, 21 Dec 2005 00:59:26 -0500 To: internals@lists.php.net Message-ID: <20051221005926.4c8ad254.mba2000@ioplex.com> X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Maintaining State Across Requests / An SSO Extension From: mba2000@ioplex.com (Michael B Allen) Hello, I have a question that is maybe a little too advanced for the usual list so I'm hoping I can ask here. I want to write an extension for Kerberos 5 Single Sign On using GSSAPI. The problem is that GSSAPI is an iterative, multistep, statefull exchange. The request response flow might look like the following: C: GET /foo ----------> <---------- S: 401 Unauthorized WWW-Authenticate: Negotiate C: GET /foo ----------> Authorization: Negotiate <---------- S: 401 Unauthorized WWW-Authenticate: Negotiate C: GET /foo ----------> Authorization: Negotiate <---------- S: 200 [Actually no state must be maintained for the initial request/response and for the Kerberos mechanism there's usually only two tokens which makes the whole exchange stateless. But for NTLMSSP there can be three tokens exchanged as depicted above and GSSAPI places no limit on the number of tokens exchanged for a given mechanism.] I'm sure you can imagine the headaches involved with trying to perform a stateful exchange over HTTP. In general the prevailing technique is to use a session cookie to maintain the state during the exchange. For example one might write this in PHP roughly like the following: function authenticate() { if (!isset($_SESSION["sso"])) { $_SESSION["sso"] = sso_new(); } $sso = $_SESSION["sso"]; $token = ""; $headers = apache_request_headers(); if (isset($headers["Authorization"])) { $token = $headers["Authorization"]; $token = sso_do_gssapi($sso, $token); switch (sso_status($sso)) { case SSO_SUCCESS: $_SESSION["auth"] = $sso; case SSO_FAILURE: unset($_SESSION["sso"]); return $sso; } $token = " " . $token; } header("WWW-Authenticate: Negotiate" . $token); header("HTTP/1.1 401 Unauthorized"); die("More processing required."); } I've read the tutorials and I have a working extension package but I need a better understanding of ZE internals with respect to maintaining state across requests. All of the examples register a dtor such that any variable returned is garbage collected after the request completes. For example, in the code above, if sso_new were to return a resource it is automatically unset from $_SESSION. I need it to persist. Ultimately I want to create one 'struct sso_context *' stored as a global (or one per MINIT is ok) from which I will derive 'struct sso *' objects in sso_new() that must persist for the life of the user's session. Can someone recommend a good technique for this? Thanks, Mike