diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2008-06-03 21:34:50 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2008-06-03 21:34:50 +0200 |
| commit | f13fa892aab9df4b816e1227fe328acd7ba9b35b (patch) | |
| tree | ee2dae8dc3fd8d54071cf08e3ec6093d1a339f62 | |
| parent | 4e1578a0c4a0428ef5a11eab04e01606c9427751 (diff) | |
| download | rpg-f13fa892aab9df4b816e1227fe328acd7ba9b35b.tar.gz rpg-f13fa892aab9df4b816e1227fe328acd7ba9b35b.tar.bz2 | |
authentication via session tokens
This patch adds a way to create a token for an authenticated user which is stored
in the session. When a subsequent request resends this token, the request will be
authenticated automatically without the need for any cookies or credential
rechecking.
The auth token expires with the session. Requesting a new token will invalidate
the old one. Sending a wrong token will result in a 401 and any existing token
will be revoked.
This is currently not used anywhere in the code but can be used for browser
intitiated client software (flash, applets, ...).
Note this is unreleated to the anti CSRF sectoken implementation.
Users who want to make use of this mechanism will probably need to pass the
session id and a valid sectoken in addtion to the authtoken
darcs-hash:20080603193450-7ad00-2f35ddde16a31c4f2699e0e6050b3c4277b2bc64.gz
| -rw-r--r-- | inc/auth.php | 46 |
1 files changed, 44 insertions, 2 deletions
diff --git a/inc/auth.php b/inc/auth.php index 0c005635d..d7effdc9e 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -65,8 +65,11 @@ $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW']; } - // external trust mechanism in place? - if(!is_null($auth) && $auth->canDo('external')){ + if($_REQUEST['authtok']){ + // when an authentication token is given, trust the session + auth_validateToken($_REQUEST['authtok']); + }elseif(!is_null($auth) && $auth->canDo('external')){ + // external trust mechanism in place $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); }else{ auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); @@ -178,6 +181,45 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ } /** + * Checks if a given authentication token was stored in the session + * + * Will setup authentication data using data from the session if the + * token is correct. Will exit with a 401 Status if not. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $token The authentication token + * @return boolean true (or will exit on failure) + */ +function auth_validateToken($token){ + if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']){ + // bad token + header("HTTP/1.0 401 Unauthorized"); + print 'Invalid auth token - maybe the session timed out'; + unset($_SESSION[DOKU_COOKIE]['auth']['token']); // no second chance + exit; + } + // still here? trust the session data + global $USERINFO; + $_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user']; + $USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info']; + return true; +} + +/** + * Create an auth token and store it in the session + * + * NOTE: this is completely unrelated to the getSecurityToken() function + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return string The auth token + */ +function auth_createToken(){ + $token = md5(mt_rand()); + $_SESSION[DOKU_COOKIE]['auth']['token'] = $token; + return $token; +} + +/** * Builds a pseudo UID from browser and IP data * * This is neither unique nor unfakable - still it adds some |