Extended session-authentication, added keying of sessions, added session houskeeping...

[hermes] / api / lib / auth_base.php

diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php
index dfecae7995e3626e33fcdb4249bfc887136c437a..5f517714062682c59282baba9df03edc41d8b1cc 100644 (file)
--- a/api/lib/auth_base.php
+++ b/api/lib/auth_base.php
@@ -54,7 +54,7 @@ function token_auth( )
 
        // TODO: Part of ping/pong requirement.
        // Run a function to clear all authkeys older than 5 minutes.
-       // expire_authkeys();
+       expire_authkeys();
 
        if ( array_key_exists('session', $_GET ) 
             && array_key_exists('auth_key', $_GET ) )
@@ -81,9 +81,54 @@ function check_authkey ( $key )
        return false;
 }
 
+function expire_authkeys()
+{
+       global $config;
+
+       // Force deletion of sessions that have expired keys.
+       $query = sprintf("SELECT session, sessid FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)",
+               $config['sessionkeys_table'],
+               $config['sessionkey_lifetime']);
+       $result = sql_dbquery( $config['provision_db'], $query );
+       while ( $row = @mysql_fetch_row( $result ) )
+       {
+               remove_session( $row[0], $row[1] );
+       }
+
+       $query = sprintf("DELETE FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)",
+               $config['sessionkeys_table'],
+               $config['sessionkey_lifetime']);
+
+       sql_dbexec( $config['provision_db'], $query );
+}
+
 function update_authkey ( $session, $authid )
 {
+       global $config;
+
        $key = substr(new_key(), 0, 8);
+
+       expire_authkeys();
+
+       // TODO: Refresh cookie
+
+       $remote = $_SERVER['REMOTE_ADDR'];
+       $query = sprintf("INSERT INTO %s ( `sessid`, `session`, `authid`, `client`, `key`, `last` )
+                               VALUES ( '%s', '%s', '%s', '%s', '%s', NOW() )
+                               ON DUPLICATE KEY UPDATE `key` = '%s', `last` = NOW()",
+               $config['sessionkeys_table'],
+               session_id(),
+               session_name(),
+               sql_clean($authid),
+               sql_clean($remote),
+               sql_clean($key),
+               sql_clean($key));
+       if ( ! sql_dbexec( $config['provision_db'], $query ) )
+       {
+               mysql_error();
+       }
+       $_SESSION['kkey'] = $key;
+       $_SESSION['when'] = time();
        return $key;
 }
 
@@ -116,10 +161,6 @@ function check_session ( $name )
                return clear_credentials($name);
        }
 
-       // TODO: Database checks?
-
-       // TODO: Refresh cookie
-
        // If we got this far, things are looking good.
        return true;
 }
@@ -135,21 +176,51 @@ function set_credentials( $authid, $type )
        $client_key  = md5( $name . $authid );
        setcookie('client_key', $client_key, time()+180*60, get_cookie_path() );
 
-       // TODO: Stuff data to database for further checks?
-       // TODO: Do magic with the KEY
-
        return $name;
 }
 
 function clear_credentials($name)
 {
+       global $config;
+
        setcookie('client_key', '', 0, get_cookie_path() );
-       setcookie($name, '', 0, "/");
 
+       remove_session($name);
        $_SESSION = array();
-       session_destroy();
+
+       $query = sprintf("DELETE FROM %s WHERE `session` = '%s'",
+               $config['sessionkeys_table'],
+               sql_clean($name));
+       sql_dbexec( $config['provision_db'], $query );
+
        return false;
 }
+
+function remove_session ($name, $id = null )
+{
+       if ( $id == null )
+       {
+               session_destroy();
+               setcookie($name, '', 0, "/");
+               return;
+       }
+       $current_session = session_name( );
+       $current_sessid = session_id( );
+       session_commit();
+
+       session_id( $id );
+       session_start();
+       setcookie( $name, '', 0, "/");
+       $_SESSION=array();
+       session_destroy();
+
+       if ( $current_session != $name )
+       {
+               session_id($current_sessid);
+               session_start();
+       }
+}
+
 function get_authorization()
 {
        return 1;