[Freeipa-devel] [PATCH 64] Implement password based session login

[Rob Crittenden]

John Dennis wrote:
> This patch adds support for password based session login (see detailed
> comments in patch)
>
> Only the server side is implemented, someone will have to add password
> based login to the UI, when they do they should update the unauthorized
> messges to include the new method, those message occur in two places.
>
> * in install/html/unauthorized.html
> * in the function error_handler() in install/ui/ipa.js:442
>
> Sending the login requires sending the username (not the principal) and
> password as application/x-www-form-urlencoded parameters in a GET or
> POST request. Note, I only tested GET, but POST should work. Attached is
> a curl script I used to test (send_login_password).
>
> There is one other minor issue not included in any previous patches nor
> this one, the VERSION file should be updated to force the apache
> configuration to be updated.

If one keeps running the script more and more cookies get set each time 
(it seems to add a new session every other request). I ended up with:

< HTTP/1.1 200 Success
< Date: Sun, 26 Feb 2012 20:36:38 GMT
< Server: Apache/2.2.21 (Fedora)
< Set-Cookie: ipa_session=905b903b164cc8449a1619f610012ad0; httponly; 
Path=/ipa; secure
< Set-Cookie: ipa_session=296d1c815326806be5dc609593950787; httponly; 
Path=/ipa; secure
< Set-Cookie: ipa_session=0a3ddb3e43f093f54acac0568bf2c8af; httponly; 
Path=/ipa; secure
< Set-Cookie: ipa_session=df4b39d4fe659ebfc401ee154c32fd1d; httponly; 
Path=/ipa; secure
< Set-Cookie: ipa_session=10ce26f372355b7ed2d11f34dbce8edf; httponly; 
Path=/ipa; secure
< Content-Length: 0
< Connection: close
< Content-Type: text/plain; charset=UTF-8
<
* Closing connection #0

It also looks like some of the sessions only appear from time to time. 
For example, the next request I did did not contain 
905b903b164cc8449a1619f610012ad0 but the one after that did again.

rob