Code: Select all
select session_id, data_key, data_value from sessions where Data_Key="UserLogin" or Data_Key="UserType" order by session_id
UserType tells us either Customer or User.
The idea is that if we trust that OTRS has established a session, (and who is telling us what the session_id is) then we should also trust who OTRS has authenticated so tell us who that user is. Given that, we have pass-through SSO with OTRS as auth.
Anyone have any rebuttal to this? The external replay attacks can be somewhat mitigated if the sender isn't known, and the sender can't be appropriately spoofed.