From e87049bac944f4909502a4db359ce90f50e91784 Mon Sep 17 00:00:00 2001
From: olavmrk <olavmrk@a716ebb1-153a-0410-b759-cfb97c6a1b53>
Date: Wed, 6 Mar 2013 12:54:06 +0000
Subject: Do not mark a session as logged in before all processing is
 completed.

If we mark the session as logged in before all processing is completed,
a failure during login processing (e.g. too big attribute values) can
cause a user to receive a "half-authenticated" session.

This patch changes the code so that the last task before releaseing the
session is to mark it as logged in.

git-svn-id: https://modmellon.googlecode.com/svn/trunk@184 a716ebb1-153a-0410-b759-cfb97c6a1b53
---
 auth_mellon_handler.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'auth_mellon_handler.c')

diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index 5b3417a..3007a01 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -1591,9 +1591,6 @@ static int add_attributes(am_cache_entry_t *session, request_rec *r,
                                 + apr_time_make(dir_cfg->session_length, 0));
     }
 
-    /* Mark user as logged in. */
-    session->logged_in = 1;
-
     /* Save session information. */
     ret = am_cache_env_append(session, "NAME_ID", name_id);
     if(ret != OK) {
@@ -1911,6 +1908,9 @@ static int am_handle_reply_common(request_rec *r, LassoLogin *login,
         return rc;
     }
 
+    /* Mark user as logged in. */
+    session->logged_in = 1;
+
     am_release_request_session(r, session);
     lasso_login_destroy(login);
 
-- 
cgit