From de4ef41e4b299146877d082fc886093c4346b83f Mon Sep 17 00:00:00 2001
From: Richard Kalinec <rkalinec@gmail.com>
Date: Sat, 4 Feb 2017 18:22:23 +0100
Subject: [PATCH] Do not logout current user on empty REMOTE_USER by default

Created a new configuration variable
webserver_auth_logout_empty_remote_user (FALSE by default) that
determines whether the current user will be logged out if the
environment variables containing the remote user name (authname) are
not set.
---
 webserver_auth.install |  1 +
 webserver_auth.module  | 23 ++++++++++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/webserver_auth.install b/webserver_auth.install
index 63d092d..c2e7a68 100644
--- a/webserver_auth.install
+++ b/webserver_auth.install
@@ -21,4 +21,5 @@ function webserver_auth_uninstall() {
   variable_del('webserver_auth_insert');
   variable_del('webserver_auth_add_all_new');
   variable_del('webserver_auth_skip_check');
+  variable_del('webserver_auth_logout_empty_remote_user');
 }
diff --git a/webserver_auth.module b/webserver_auth.module
index 6f61ac0..d73c432 100644
--- a/webserver_auth.module
+++ b/webserver_auth.module
@@ -133,8 +133,11 @@ function _webserver_auth_route() {
     drupal_alter('webserver_auth_authname', $authname);
   }
 
-  if (! $authname) {
-    // Empty authname is anonymous: close any current session.
+  /* Empty authname is anonymous: if configured so, close any current session. This is FALSE by default,
+     as it may ultimately prevent mod_auth_gssapi authentication from working, or at least it makes it
+     practically impossible to configure it only for a login page, what effectively means a requirement
+     for HTTP Negotiate at every request. */
+  if (variable_get('webserver_auth_logout_empty_remote_user', FALSE) && ! $authname) {
     if (user_is_logged_in()) {
       _webserver_auth_logout();
     }
@@ -142,13 +145,16 @@ function _webserver_auth_route() {
     return;
   }
 
-  /* Check if the authname matches the current session.
-     If it does, we're done. */
+  /* Check if the authname matches the current session. If it does, we're done.
+     Empty authname here means that the module is not configured to logout the user
+     in this case, and therefore we're done. However, in the case it is nonempty
+     and different from the current session, we want to log the current user out
+     and attempt to log in the user represented by the new authname. */
   if (user_is_logged_in()) {
 
     /* Validate session authname.  We don't match against uid as authmap may
        link to a user with uid different than authname. */
-    if (isset($_SESSION['webserver_authname'])
+    if (! $authname || isset($_SESSION['webserver_authname'])
 	&& ($_SESSION['webserver_authname'] == $authname)) {
       return;
     }
@@ -398,6 +404,13 @@ function _webserver_auth_settings($form, &$form_state) {
       '#default_value' => variable_get('webserver_auth_skip_check', FALSE),
       '#description' => t("Skips the authorisation check, allowing users to login even if they were not created though this module.  Not recommended if you use multiple authentication methods."),
     ),
+    'webserver_auth_logout_empty_remote_user' => array(
+      '#type' => 'checkbox',
+      '#title' => t('Logout the current user if the authname is empty'),
+      '#default_value' => variable_get('webserver_auth_logout_empty_remote_user', FALSE),
+      '#description' => t("Logout the current user if the remote user name retrieved from the environment variables is empty. This must be disabled for mod_auth_gssapi to work."
+    . "  Enable if you are not going to use mod_auth_gssapi, but other authentication methods supported by this module."),
+    ),
   );
   return system_settings_form($form);
 }