From 4c9890379da4188edae519d126c315ce93c4e593 Mon Sep 17 00:00:00 2001
From: Chris Smith <chris@jalakai.co.uk>
Date: Mon, 28 May 2007 21:47:47 +0200
Subject: Partial Fix FS#1085

This fix adds a new configuration setting, 'auth_security_timeout', which controls the duration (seconds) before authentication
information is rechecked.  The default value is set to 900 seconds (15 minutes). Wiki installations particularly concerned
about security should set this value to 0.

DokuWiki maintains a copy of the most recent authentication details in both a browser cookie and server session.  Normally these
values are compared on each page visit.  If the comparison passes the user is accepted. The same data will be used over and
over until either the cookie or the session expires.  FS#1085 is concerned with updates to the original authentication data not
being able to affect this comparison.  The new 'auth_security_timeout' setting will force expiration of the saved data after the
specified period has elapsed.

Re-authentication may affect page response, especially on systems which use remote authentication systems.

This fix is considered partial and should be reviewed after the next release with a view to extending the authentication class
to allow those mechanisms which are able to control when DW should revoke authentication.

darcs-hash:20070528194747-d26fc-f471004da604eb66f7131c470e446b98c29d801b.gz
---
 inc/auth.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'inc')

diff --git a/inc/auth.php b/inc/auth.php
index 7b3f23bf3..6e9a2908f 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -138,6 +138,8 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
       $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
       $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
       $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
+      $_SESSION[DOKU_COOKIE]['auth']['time'] = time();
+
       return true;
     }else{
       //invalid credentials - log off
@@ -154,6 +156,7 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
     if($user && $pass){
       // we got a cookie - see if we can trust it
       if(isset($session) &&
+        ($session['time'] >= time()-$conf['auth_security_timeout']) &&
         ($session['user'] == $user) &&
         ($session['pass'] == $pass) &&  //still crypted
         ($session['buid'] == auth_browseruid()) ){
-- 
cgit v1.2.3