From f13fa892aab9df4b816e1227fe328acd7ba9b35b Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 3 Jun 2008 21:34:50 +0200 Subject: authentication via session tokens This patch adds a way to create a token for an authenticated user which is stored in the session. When a subsequent request resends this token, the request will be authenticated automatically without the need for any cookies or credential rechecking. The auth token expires with the session. Requesting a new token will invalidate the old one. Sending a wrong token will result in a 401 and any existing token will be revoked. This is currently not used anywhere in the code but can be used for browser intitiated client software (flash, applets, ...). Note this is unreleated to the anti CSRF sectoken implementation. Users who want to make use of this mechanism will probably need to pass the session id and a valid sectoken in addtion to the authtoken darcs-hash:20080603193450-7ad00-2f35ddde16a31c4f2699e0e6050b3c4277b2bc64.gz --- inc/auth.php | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/inc/auth.php b/inc/auth.php index 0c005635d..d7effdc9e 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -65,8 +65,11 @@ $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW']; } - // external trust mechanism in place? - if(!is_null($auth) && $auth->canDo('external')){ + if($_REQUEST['authtok']){ + // when an authentication token is given, trust the session + auth_validateToken($_REQUEST['authtok']); + }elseif(!is_null($auth) && $auth->canDo('external')){ + // external trust mechanism in place $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); }else{ auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); @@ -177,6 +180,45 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ return false; } +/** + * Checks if a given authentication token was stored in the session + * + * Will setup authentication data using data from the session if the + * token is correct. Will exit with a 401 Status if not. + * + * @author Andreas Gohr + * @param string $token The authentication token + * @return boolean true (or will exit on failure) + */ +function auth_validateToken($token){ + if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']){ + // bad token + header("HTTP/1.0 401 Unauthorized"); + print 'Invalid auth token - maybe the session timed out'; + unset($_SESSION[DOKU_COOKIE]['auth']['token']); // no second chance + exit; + } + // still here? trust the session data + global $USERINFO; + $_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user']; + $USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info']; + return true; +} + +/** + * Create an auth token and store it in the session + * + * NOTE: this is completely unrelated to the getSecurityToken() function + * + * @author Andreas Gohr + * @return string The auth token + */ +function auth_createToken(){ + $token = md5(mt_rand()); + $_SESSION[DOKU_COOKIE]['auth']['token'] = $token; + return $token; +} + /** * Builds a pseudo UID from browser and IP data * -- cgit v1.2.3