Extended session-authentication, added keying of sessions, added session houskeeping...

diff --git a/api/auth.php b/api/auth.php
index 1cad4029d9eb3d34e65110d2dc0e6523ef179ffc..6a8188ecc12ac859c217db5b933223b3fd08c696 100644 (file)
--- a/api/auth.php
+++ b/api/auth.php
@@ -69,8 +69,8 @@ if ( !$config['sql_link'] )
                case "/ping":
                        // API clients are required to periodically ping the server
                        // The time between pings (interval) is 5 minutes?
-                       // A ping call should refresh cookie lifetimes and
-                       // generate and store a new auth_key
+                       // A ping call refreshes cookie lifetimes, then
+                       // generates and stores a new auth_key
                        // The ping required a valid session...
                        // A successful ping returns a 'response' => 'pong'
                        // along with the new auth_key.

diff --git a/api/config.php.sample b/api/config.php.sample
index f1239785dac68244f8e90a34c65b7ec5f6cc41eb..477f4fd735e0d685c17ec8689d03a03ea62608f6 100644 (file)
--- a/api/config.php.sample
+++ b/api/config.php.sample
@@ -15,6 +15,8 @@ function get_config()
                'provision_users_table' => 'users',
                'provision_phones_table' => 'phones',
                'provision_servers_table' => 'servers',
+               'sessionkeys_table' => 'sessionkeys',
+               'sessionkey_lifetime' => 5, // Minutes
                'numbers_table' => 'number_pool',
                'standard_dialplan' => '(*xx*.|xxx.)',
                'default_domain' => 'hig.no',

diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php
index dfecae7995e3626e33fcdb4249bfc887136c437a..5f517714062682c59282baba9df03edc41d8b1cc 100644 (file)
--- a/api/lib/auth_base.php
+++ b/api/lib/auth_base.php
@@ -54,7 +54,7 @@ function token_auth( )
 
        // TODO: Part of ping/pong requirement.
        // Run a function to clear all authkeys older than 5 minutes.
-       // expire_authkeys();
+       expire_authkeys();
 
        if ( array_key_exists('session', $_GET ) 
             && array_key_exists('auth_key', $_GET ) )
@@ -81,9 +81,54 @@ function check_authkey ( $key )
        return false;
 }
 
+function expire_authkeys()
+{
+       global $config;
+
+       // Force deletion of sessions that have expired keys.
+       $query = sprintf("SELECT session, sessid FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)",
+               $config['sessionkeys_table'],
+               $config['sessionkey_lifetime']);
+       $result = sql_dbquery( $config['provision_db'], $query );
+       while ( $row = @mysql_fetch_row( $result ) )
+       {
+               remove_session( $row[0], $row[1] );
+       }
+
+       $query = sprintf("DELETE FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)",
+               $config['sessionkeys_table'],
+               $config['sessionkey_lifetime']);
+
+       sql_dbexec( $config['provision_db'], $query );
+}
+
 function update_authkey ( $session, $authid )
 {
+       global $config;
+
        $key = substr(new_key(), 0, 8);
+
+       expire_authkeys();
+
+       // TODO: Refresh cookie
+
+       $remote = $_SERVER['REMOTE_ADDR'];
+       $query = sprintf("INSERT INTO %s ( `sessid`, `session`, `authid`, `client`, `key`, `last` )
+                               VALUES ( '%s', '%s', '%s', '%s', '%s', NOW() )
+                               ON DUPLICATE KEY UPDATE `key` = '%s', `last` = NOW()",
+               $config['sessionkeys_table'],
+               session_id(),
+               session_name(),
+               sql_clean($authid),
+               sql_clean($remote),
+               sql_clean($key),
+               sql_clean($key));
+       if ( ! sql_dbexec( $config['provision_db'], $query ) )
+       {
+               mysql_error();
+       }
+       $_SESSION['kkey'] = $key;
+       $_SESSION['when'] = time();
        return $key;
 }
 
@@ -116,10 +161,6 @@ function check_session ( $name )
                return clear_credentials($name);
        }
 
-       // TODO: Database checks?
-
-       // TODO: Refresh cookie
-
        // If we got this far, things are looking good.
        return true;
 }
@@ -135,21 +176,51 @@ function set_credentials( $authid, $type )
        $client_key  = md5( $name . $authid );
        setcookie('client_key', $client_key, time()+180*60, get_cookie_path() );
 
-       // TODO: Stuff data to database for further checks?
-       // TODO: Do magic with the KEY
-
        return $name;
 }
 
 function clear_credentials($name)
 {
+       global $config;
+
        setcookie('client_key', '', 0, get_cookie_path() );
-       setcookie($name, '', 0, "/");
 
+       remove_session($name);
        $_SESSION = array();
-       session_destroy();
+
+       $query = sprintf("DELETE FROM %s WHERE `session` = '%s'",
+               $config['sessionkeys_table'],
+               sql_clean($name));
+       sql_dbexec( $config['provision_db'], $query );
+
        return false;
 }
+
+function remove_session ($name, $id = null )
+{
+       if ( $id == null )
+       {
+               session_destroy();
+               setcookie($name, '', 0, "/");
+               return;
+       }
+       $current_session = session_name( );
+       $current_sessid = session_id( );
+       session_commit();
+
+       session_id( $id );
+       session_start();
+       setcookie( $name, '', 0, "/");
+       $_SESSION=array();
+       session_destroy();
+
+       if ( $current_session != $name )
+       {
+               session_id($current_sessid);
+               session_start();
+       }
+}
+
 function get_authorization()
 {
        return 1;