Using OTRS Session to relay login for SSO.

[crythias]

This is ... probably nothing that should work.

Code: Select all

select session_id, data_key, data_value from sessions where Data_Key="UserLogin" or Data_Key="UserType" order by session_id

The thought is to pass the session ID encrypted (POST) to the other website, then decrypt the session ID, retrieve the UserLogin based upon the session id. (SQL query).

UserType tells us either Customer or User.

The idea is that if we trust that OTRS has established a session, (and who is telling us what the session_id is) then we should also trust who OTRS has authenticated so tell us who that user is. Given that, we have pass-through SSO with OTRS as auth.

Anyone have any rebuttal to this? The external replay attacks can be somewhat mitigated if the sender isn't known, and the sender can't be appropriately spoofed.

[root]

Hi,

Why not using instead of a SQL query the GenericInterface operation SessionGet? A single request and all data is returned. I just think for minutes why everybody is able to request details of a session without authentication...

- Roy

[crythias]

Here's my issue, and maybe you have an idea...

I have php scripts/web pages (on the same server?) that I'd love to support by authenticating with the current logged in OTRS user. So ... I guess I could wrap them in perl or I'll want to siphon API through GenericInterface SessionGet. I just need to build GenericInterface from PHP.

[root]

Here's my issue, and maybe you have an idea...

I have php scripts/web pages (on the same server?) that I'd love to support by authenticating with the current logged in OTRS user. So ... I guess I could wrap them in perl or I'll want to siphon API through GenericInterface SessionGet. I just need to build GenericInterface from PHP.

Hi,

Here's an example client in PHP: https://github.com/rkaldung/otrs-gi-res ... client.php

Modify https://github.com/rkaldung/otrs-gi-res ... nt.php#L24 to execute a GET request to the SessionGet URL to get all the session data.

- Roy