author | Dan |
Fri, 12 Jun 2009 13:49:22 -0400 | |
changeset 77 | e5f1f45ea7e2 |
parent 74 | 7719085707d8 |
permissions | -rw-r--r-- |
44
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
1 |
<?php |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
2 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
3 |
/** |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
4 |
* Greyhound - real web management for Amarok |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
5 |
* Copyright (C) 2008 Dan Fuhry |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
6 |
* |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
7 |
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
8 |
* as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
9 |
* |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
10 |
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
11 |
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details. |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
12 |
*/ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
13 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
14 |
function greyhound_login_page($httpd, $socket) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
15 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
16 |
if ( session_check() ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
17 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
18 |
$httpd->header('HTTP/1.1 307 Temporary Redirect'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
19 |
$httpd->header('Location: /'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
20 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
21 |
return; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
22 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
23 |
$tried = false; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
24 |
$success = false; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
25 |
if ( isset($_POST['username']) && isset($_POST['password']) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
26 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
27 |
$tried = true; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
28 |
if ( $sessionid = login($_POST['username'], $_POST['password']) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
29 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
30 |
$success = true; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
31 |
$httpd->setcookie('grey_session', $sessionid, time() + ( 86400 * 3650 )); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
32 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
33 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
34 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
35 |
global $theme; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
36 |
$iphone = ( ( strpos($_SERVER['HTTP_USER_AGENT'], 'iPhone') || |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
37 |
strpos($_SERVER['HTTP_USER_AGENT'], 'iPod') || |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
38 |
strpos($_SERVER['HTTP_USER_AGENT'], 'BlackBerry') || |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
39 |
isset($_GET['m']) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
40 |
&& !isset($_GET['f']) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
41 |
); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
42 |
$theme_id = ( $iphone ) ? 'iphone' : $theme; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
43 |
$smarty = load_theme($theme_id); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
44 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
45 |
$smarty->assign('theme', $theme_id); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
46 |
$smarty->assign('greyhound_version', GREY_VERSION); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
47 |
$smarty->assign('tried', $tried); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
48 |
$smarty->assign('success', $success); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
49 |
$smarty->display('login.tpl'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
50 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
51 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
52 |
function greyhound_logout($httpd, $socket) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
53 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
54 |
// destroy the session |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
55 |
if ( isset($_COOKIE['grey_session']) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
56 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
57 |
load_session_data(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
58 |
global $session_data; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
59 |
unset($session_data[$_COOKIE['grey_session']]); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
60 |
session_commit_db(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
61 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
62 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
63 |
$httpd->setcookie('grey_session', '', time() - 864000); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
64 |
$httpd->header('HTTP/1.1 307 Temporary Redirect'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
65 |
$httpd->header('Location: /'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
66 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
67 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
68 |
/** |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
69 |
* Check to see if we're logged in |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
70 |
*/ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
71 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
72 |
function session_check() |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
73 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
74 |
global $use_auth, $auth_data; |
74
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
75 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
76 |
if ( !$use_auth ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
77 |
return true; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
78 |
|
44
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
79 |
if ( isset($_COOKIE['grey_session']) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
80 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
81 |
load_session_data(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
82 |
global $session_data; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
83 |
if ( isset($session_data[$_COOKIE['grey_session']]) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
84 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
85 |
// has a cookie with a valid session ID, check credentials |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
86 |
$session =& $session_data[$_COOKIE['grey_session']]; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
87 |
if ( isset($auth_data[$session['user']]) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
88 |
{ |
74
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
89 |
$password =& $auth_data[$session['user']]; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
90 |
if ( $session['hash'] === hmac_md5($password, $session['salt']) ) |
44
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
91 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
92 |
// session is valid, logged in |
74
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
93 |
return $session['user']; |
44
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
94 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
95 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
96 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
97 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
98 |
return ( $use_auth ) ? false : true; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
99 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
100 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
101 |
function login($username, $password) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
102 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
103 |
global $use_auth, $auth_data; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
104 |
if ( !$use_auth ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
105 |
return false; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
106 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
107 |
if ( isset($auth_data[$username]) ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
108 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
109 |
if ( $auth_data[$username] === $password ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
110 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
111 |
return create_session($username, $password); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
112 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
113 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
114 |
return false; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
115 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
116 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
117 |
function create_session($username, $password) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
118 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
119 |
load_session_data(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
120 |
global $session_data; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
121 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
122 |
$sessid = md5(sha1(microtime() . mt_rand())); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
123 |
$salt = md5(sha1(md5(mt_rand() . microtime() . microtime() . mt_rand()))); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
124 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
125 |
$session_data[$sessid] = array( |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
126 |
'user' => $username, |
74
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
127 |
'hash' => hmac_md5($password, $salt), |
44
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
128 |
'salt' => $salt |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
129 |
); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
130 |
session_commit_db(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
131 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
132 |
return $sessid; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
133 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
134 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
135 |
function var_export_string($arr) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
136 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
137 |
ob_start(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
138 |
var_export($arr); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
139 |
$r = ob_get_contents(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
140 |
ob_end_clean(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
141 |
return $r; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
142 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
143 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
144 |
function session_commit_db() |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
145 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
146 |
global $session_data; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
147 |
$d = var_export_string($session_data); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
148 |
$fp = @fopen('./session_db.php', 'w'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
149 |
if ( !$fp ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
150 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
151 |
warning('Could not open the session database for writing. Logins may not work.'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
152 |
return false; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
153 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
154 |
$d = <<<EOF |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
155 |
<?php |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
156 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
157 |
// Automatically generated session database for Greyhound. Do not edit this file! |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
158 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
159 |
\$GLOBALS['session_data'] = $d; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
160 |
EOF; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
161 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
162 |
fwrite($fp, $d); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
163 |
fclose($fp); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
164 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
165 |
return true; |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
166 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
167 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
168 |
function load_session_data() |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
169 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
170 |
if ( file_exists('./session_db.php') ) |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
171 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
172 |
require('./session_db.php'); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
173 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
174 |
else |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
175 |
{ |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
176 |
$GLOBALS['session_data'] = array(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
177 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
178 |
} |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
179 |
|
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
180 |
$session_data = array(); |
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
181 |
|
74
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
182 |
/* |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
183 |
* All this HMAC stuff is ported (ok, copied and pasted) from Enano. |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
184 |
* Hey, I own the copyright on it. |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
185 |
*/ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
186 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
187 |
function hmac_core($message, $key, $hashfunc) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
188 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
189 |
if ( strlen($key) % 2 == 1 ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
190 |
$key .= '0'; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
191 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
192 |
if ( strlen($key) > 128 ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
193 |
$key = $hashfunc($key); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
194 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
195 |
while ( strlen($key) < 128 ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
196 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
197 |
$key .= '00'; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
198 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
199 |
$opad = hmac_hexbytearray($key); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
200 |
$ipad = $opad; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
201 |
for ( $i = 0; $i < count($ipad); $i++ ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
202 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
203 |
$opad[$i] = $opad[$i] ^ 0x5c; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
204 |
$ipad[$i] = $ipad[$i] ^ 0x36; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
205 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
206 |
$opad = hmac_bytearraytostring($opad); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
207 |
$ipad = hmac_bytearraytostring($ipad); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
208 |
return $hashfunc($opad . hexdecode($hashfunc($ipad . $message))); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
209 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
210 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
211 |
function hmac_hexbytearray($val) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
212 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
213 |
$val = hexdecode($val); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
214 |
return hmac_bytearray($val); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
215 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
216 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
217 |
function hmac_bytearray($val) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
218 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
219 |
$val = str_split($val, 1); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
220 |
foreach ( $val as &$char ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
221 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
222 |
$char = ord($char); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
223 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
224 |
return $val; |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
225 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
226 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
227 |
function hmac_bytearraytostring($val) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
228 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
229 |
foreach ( $val as &$char ) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
230 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
231 |
$char = chr($char); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
232 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
233 |
return implode('', $val); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
234 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
235 |
|
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
236 |
function hmac_md5($message, $key) |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
237 |
{ |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
238 |
return hmac_core($message, $key, 'md5'); |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
239 |
} |
7719085707d8
Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents:
44
diff
changeset
|
240 |
|
44
92dd253f501c
First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff
changeset
|
241 |
?> |