Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:21298
Return-Path: <kingwez@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72781 invoked by uid 1010); 21 Dec 2005 06:58:49 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 72766 invoked from network); 21 Dec 2005 06:58:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Dec 2005 06:58:49 -0000
X-Host-Fingerprint: 64.233.184.197 wproxy.gmail.com Linux 2.4/2.6
Received: from ([64.233.184.197:26690] helo=wproxy.gmail.com)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id DA/DC-14561-82DF8A34 for <internals@lists.php.net>; Wed, 21 Dec 2005 01:58:48 -0500
Received: by wproxy.gmail.com with SMTP id i24so72353wra
	for <internals@lists.php.net>; Tue, 20 Dec 2005 22:58:44 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=D5s7MqYIuqB4gkzNBPMgMScVW5nqwfgV5yX5UGl9hqQVYTM+YM4A0AfU523k4W1QqJTF9SO8McXpeQGTYktkyIsFTMwYaxUALsnwQYtOfO2FDhOlIbttkp0l/s9f0196KbyYZD69s6XdQcshXp/47p2sj99LKkSvvmTQsSxTQfE=
Received: by 10.54.96.2 with SMTP id t2mr402384wrb;
	Tue, 20 Dec 2005 22:58:43 -0800 (PST)
Received: by 10.54.77.20 with HTTP; Tue, 20 Dec 2005 22:58:41 -0800 (PST)
Message-ID: <4e89b4260512202258j47f6745foe3b3f4d493b6cbba@mail.gmail.com>
Date: Wed, 21 Dec 2005 01:58:41 -0500
To: Michael B Allen <mba2000@ioplex.com>
Cc: internals@lists.php.net
In-Reply-To: <20051221005926.4c8ad254.mba2000@ioplex.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <20051221005926.4c8ad254.mba2000@ioplex.com>
Subject: Re: [PHP-DEV] Maintaining State Across Requests / An SSO Extension
From: kingwez@gmail.com (Wez Furlong)

Just curious, why aren't you writing this as an apache module?

Is this of any use; it seems a bit dated, but could save you some effort:
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html

--Wez.


On 12/21/05, Michael B Allen <mba2000@ioplex.com> wrote:
> Hello,
>
> I have a question that is maybe a little too advanced for the usual list
> so I'm hoping I can ask here.
>
> I want to write an extension for Kerberos 5 Single Sign On using
> GSSAPI. The problem is that GSSAPI is an iterative, multistep, statefull
> exchange. The request response flow might look like the following:
>
>   C: GET /foo ---------->
>               <---------- S: 401 Unauthorized
>                              WWW-Authenticate: Negotiate
>   C: GET /foo ---------->
>      Authorization: Negotiate <base64-token-1>
>               <---------- S: 401 Unauthorized
>                              WWW-Authenticate: Negotiate <base64-token-2>
>   C: GET /foo ---------->
>      Authorization: Negotiate <base64-token-3>
>               <---------- S: 200
>                              <data>
>
> [Actually no state must be maintained for the initial request/response
> and for the Kerberos mechanism there's usually only two tokens which
> makes the whole exchange stateless. But for NTLMSSP there can be three
> tokens exchanged as depicted above and GSSAPI places no limit on the
> number of tokens exchanged for a given mechanism.]
>
> I'm sure you can imagine the headaches involved with trying to perform
> a stateful exchange over HTTP. In general the prevailing technique is
> to use a session cookie to maintain the state during the exchange. For
> example one might write this in PHP roughly like the following:
>
>     function authenticate() {
>         if (!isset($_SESSION["sso"])) {
>             $_SESSION["sso"] =3D sso_new();
>         }
>         $sso =3D $_SESSION["sso"];
>
>         $token =3D "";
>         $headers =3D apache_request_headers();
>         if (isset($headers["Authorization"])) {
>             $token =3D $headers["Authorization"];
>             $token =3D sso_do_gssapi($sso, $token);
>             switch (sso_status($sso)) {
>                 case SSO_SUCCESS:
>                     $_SESSION["auth"] =3D $sso;
>                 case SSO_FAILURE:
>                     unset($_SESSION["sso"]);
>                     return $sso;
>             }
>             $token =3D " " . $token;
>         }
>
>         header("WWW-Authenticate: Negotiate" . $token);
>         header("HTTP/1.1 401 Unauthorized");
>         die("More processing required.");
>     }
>
> I've read the tutorials and I have a working extension package but I
> need a better understanding of ZE internals with respect to maintaining
> state across requests. All of the examples register a dtor such that any
> variable returned is garbage collected after the request completes. For
> example, in the code above, if sso_new were to return a resource it is
> automatically unset from $_SESSION. I need it to persist.
>
> Ultimately I want to create one 'struct sso_context *' stored as a global
> (or one per MINIT is ok) from which I will derive 'struct sso *' objects
> in sso_new() that must persist for the life of the user's session. Can
> someone recommend a good technique for this?
>
> Thanks,
> Mike
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>