From dc9cfc1c813c17d853ebc694601dd9a0a54e10dd Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Mon, 15 Feb 2016 10:44:33 +0100
Subject: [PATCH 1/5] Call getRequest() only once in Auth::authHttp()

refs #11151
---
 library/Icinga/Authentication/Auth.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index f80326999..e63b10ef1 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -278,10 +278,11 @@ class Auth
      */
     protected function authHttp()
     {
-        if ($this->getRequest()->isXmlHttpRequest()) {
+        $request = $this->getRequest();
+        if ($request->isXmlHttpRequest()) {
             return false;
         }
-        if (($header = $this->getRequest()->getHeader('Authorization')) === false) {
+        if (($header = $request->getHeader('Authorization')) === false) {
             return false;
         }
         if (empty($header)) {

From a464e74aa42142de039600f9630f1a8ce8c40218 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Mon, 15 Feb 2016 10:53:32 +0100
Subject: [PATCH 2/5] Allow basic auth for API requests only

refs #11151
---
 library/Icinga/Authentication/Auth.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index e63b10ef1..4e15c9512 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -270,7 +270,7 @@ class Auth
     }
 
     /**
-     * Attempt to authenticate a user using HTTP authentication
+     * Attempt to authenticate a user using HTTP authentication on API requests only
      *
      * Supports only the Basic HTTP authentication scheme. XHR will be ignored.
      *
@@ -279,7 +279,7 @@ class Auth
     protected function authHttp()
     {
         $request = $this->getRequest();
-        if ($request->isXmlHttpRequest()) {
+        if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
             return false;
         }
         if (($header = $request->getHeader('Authorization')) === false) {

From c5281935c6ff7d7b208e43794cbef21070acc090 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Mon, 15 Feb 2016 11:14:37 +0100
Subject: [PATCH 3/5] Regenerate a session ID only if the session exists

refs #11151
---
 library/Icinga/Web/Session/PhpSession.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/library/Icinga/Web/Session/PhpSession.php b/library/Icinga/Web/Session/PhpSession.php
index 06fd08b7c..0c10cdefa 100644
--- a/library/Icinga/Web/Session/PhpSession.php
+++ b/library/Icinga/Web/Session/PhpSession.php
@@ -213,7 +213,9 @@ class PhpSession extends Session
     public function refreshId()
     {
         $this->open();
-        session_regenerate_id();
+        if ($this->exists()) {
+            session_regenerate_id();
+        }
         session_write_close();
         $this->hasBeenTouched = true;
     }

From 8a4f15d32c851d8cfeab77d4cff429a04d05806b Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Mon, 15 Feb 2016 13:36:29 +0100
Subject: [PATCH 4/5] Don't redirect unauthenticated API requests to the login
 page

refs #11151
---
 library/Icinga/Authentication/Auth.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index 4e15c9512..2a9b18627 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -282,10 +282,7 @@ class Auth
         if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
             return false;
         }
-        if (($header = $request->getHeader('Authorization')) === false) {
-            return false;
-        }
-        if (empty($header)) {
+        if (($header = $request->getHeader('Authorization')) === false || empty($header)) {
             $this->challengeHttp();
         }
         list($scheme) = explode(' ', $header, 2);

From 74b4c344d6c55f009d206bc910f829191f25c913 Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@netways.de>
Date: Mon, 15 Feb 2016 14:22:36 +0100
Subject: [PATCH 5/5] Shorten check for empty auth header

refs #11151
---
 library/Icinga/Authentication/Auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index 2a9b18627..f8fac1ac0 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -282,7 +282,7 @@ class Auth
         if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
             return false;
         }
-        if (($header = $request->getHeader('Authorization')) === false || empty($header)) {
+        if (empty($header = $request->getHeader('Authorization'))) {
             $this->challengeHttp();
         }
         list($scheme) = explode(' ', $header, 2);