From: Jon Langseth Date: Thu, 19 Jan 2012 20:12:40 +0000 (+0100) Subject: Extended session-authentication, added keying of sessions, added session houskeeping... X-Git-Url: https://git.defcon.no/?a=commitdiff_plain;h=f3015bf71883bd725cda73203e04367789d917d2;p=hermes Extended session-authentication, added keying of sessions, added session houskeeping. Hopefully the housekeeping functions are not too strict ;) --- diff --git a/api/auth.php b/api/auth.php index 1cad402..6a8188e 100644 --- a/api/auth.php +++ b/api/auth.php @@ -69,8 +69,8 @@ if ( !$config['sql_link'] ) case "/ping": // API clients are required to periodically ping the server // The time between pings (interval) is 5 minutes? - // A ping call should refresh cookie lifetimes and - // generate and store a new auth_key + // A ping call refreshes cookie lifetimes, then + // generates and stores a new auth_key // The ping required a valid session... // A successful ping returns a 'response' => 'pong' // along with the new auth_key. diff --git a/api/config.php.sample b/api/config.php.sample index f123978..477f4fd 100644 --- a/api/config.php.sample +++ b/api/config.php.sample @@ -15,6 +15,8 @@ function get_config() 'provision_users_table' => 'users', 'provision_phones_table' => 'phones', 'provision_servers_table' => 'servers', + 'sessionkeys_table' => 'sessionkeys', + 'sessionkey_lifetime' => 5, // Minutes 'numbers_table' => 'number_pool', 'standard_dialplan' => '(*xx*.|xxx.)', 'default_domain' => 'hig.no', diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php index dfecae7..5f51771 100644 --- a/api/lib/auth_base.php +++ b/api/lib/auth_base.php @@ -54,7 +54,7 @@ function token_auth( ) // TODO: Part of ping/pong requirement. // Run a function to clear all authkeys older than 5 minutes. - // expire_authkeys(); + expire_authkeys(); if ( array_key_exists('session', $_GET ) && array_key_exists('auth_key', $_GET ) ) @@ -81,9 +81,54 @@ function check_authkey ( $key ) return false; } +function expire_authkeys() +{ + global $config; + + // Force deletion of sessions that have expired keys. + $query = sprintf("SELECT session, sessid FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)", + $config['sessionkeys_table'], + $config['sessionkey_lifetime']); + $result = sql_dbquery( $config['provision_db'], $query ); + while ( $row = @mysql_fetch_row( $result ) ) + { + remove_session( $row[0], $row[1] ); + } + + $query = sprintf("DELETE FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)", + $config['sessionkeys_table'], + $config['sessionkey_lifetime']); + + sql_dbexec( $config['provision_db'], $query ); +} + function update_authkey ( $session, $authid ) { + global $config; + $key = substr(new_key(), 0, 8); + + expire_authkeys(); + + // TODO: Refresh cookie + + $remote = $_SERVER['REMOTE_ADDR']; + $query = sprintf("INSERT INTO %s ( `sessid`, `session`, `authid`, `client`, `key`, `last` ) + VALUES ( '%s', '%s', '%s', '%s', '%s', NOW() ) + ON DUPLICATE KEY UPDATE `key` = '%s', `last` = NOW()", + $config['sessionkeys_table'], + session_id(), + session_name(), + sql_clean($authid), + sql_clean($remote), + sql_clean($key), + sql_clean($key)); + if ( ! sql_dbexec( $config['provision_db'], $query ) ) + { + mysql_error(); + } + $_SESSION['kkey'] = $key; + $_SESSION['when'] = time(); return $key; } @@ -116,10 +161,6 @@ function check_session ( $name ) return clear_credentials($name); } - // TODO: Database checks? - - // TODO: Refresh cookie - // If we got this far, things are looking good. return true; } @@ -135,21 +176,51 @@ function set_credentials( $authid, $type ) $client_key = md5( $name . $authid ); setcookie('client_key', $client_key, time()+180*60, get_cookie_path() ); - // TODO: Stuff data to database for further checks? - // TODO: Do magic with the KEY - return $name; } function clear_credentials($name) { + global $config; + setcookie('client_key', '', 0, get_cookie_path() ); - setcookie($name, '', 0, "/"); + remove_session($name); $_SESSION = array(); - session_destroy(); + + $query = sprintf("DELETE FROM %s WHERE `session` = '%s'", + $config['sessionkeys_table'], + sql_clean($name)); + sql_dbexec( $config['provision_db'], $query ); + return false; } + +function remove_session ($name, $id = null ) +{ + if ( $id == null ) + { + session_destroy(); + setcookie($name, '', 0, "/"); + return; + } + $current_session = session_name( ); + $current_sessid = session_id( ); + session_commit(); + + session_id( $id ); + session_start(); + setcookie( $name, '', 0, "/"); + $_SESSION=array(); + session_destroy(); + + if ( $current_session != $name ) + { + session_id($current_sessid); + session_start(); + } +} + function get_authorization() { return 1;