sessions.php
author Dan
Fri, 12 Jun 2009 13:50:13 -0400 (2009-06-12)
changeset 78 08f8a72b1f7b
parent 74 7719085707d8
permissions -rw-r--r--
Added Offline Mode - automatically turned on and off based on connectivity to server. Version bumped to 0.1a5.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
44
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     1
<?php
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     2
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     3
/**
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     4
 * Greyhound - real web management for Amarok
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     5
 * Copyright (C) 2008 Dan Fuhry
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     6
 *
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     7
 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     8
 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
     9
 *
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    10
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    11
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    12
 */
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    13
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    14
function greyhound_login_page($httpd, $socket)
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    15
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    16
  if ( session_check() )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    17
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    18
    $httpd->header('HTTP/1.1 307 Temporary Redirect');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    19
    $httpd->header('Location: /');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    20
    
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    21
    return;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    22
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    23
  $tried = false;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    24
  $success = false;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    25
  if ( isset($_POST['username']) && isset($_POST['password']) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    26
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    27
    $tried = true;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    28
    if ( $sessionid = login($_POST['username'], $_POST['password']) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    29
    {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    30
      $success = true;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    31
      $httpd->setcookie('grey_session', $sessionid, time() + ( 86400 * 3650 ));
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    32
    }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    33
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    34
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    35
  global $theme;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    36
  $iphone = ( ( strpos($_SERVER['HTTP_USER_AGENT'], 'iPhone') ||
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    37
       strpos($_SERVER['HTTP_USER_AGENT'], 'iPod') ||
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    38
       strpos($_SERVER['HTTP_USER_AGENT'], 'BlackBerry') ||
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    39
       isset($_GET['m']) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    40
       && !isset($_GET['f'])
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    41
       );
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    42
  $theme_id = ( $iphone ) ? 'iphone' : $theme;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    43
  $smarty = load_theme($theme_id);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    44
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    45
  $smarty->assign('theme', $theme_id);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    46
  $smarty->assign('greyhound_version', GREY_VERSION);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    47
  $smarty->assign('tried', $tried);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    48
  $smarty->assign('success', $success);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    49
  $smarty->display('login.tpl');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    50
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    51
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    52
function greyhound_logout($httpd, $socket)
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    53
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    54
  // destroy the session
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    55
  if ( isset($_COOKIE['grey_session']) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    56
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    57
    load_session_data();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    58
    global $session_data;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    59
    unset($session_data[$_COOKIE['grey_session']]);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    60
    session_commit_db();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    61
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    62
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    63
  $httpd->setcookie('grey_session', '', time() - 864000);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    64
  $httpd->header('HTTP/1.1 307 Temporary Redirect');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    65
  $httpd->header('Location: /');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    66
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    67
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    68
/**
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    69
 * Check to see if we're logged in
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    70
 */
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    71
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    72
function session_check()
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    73
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    74
  global $use_auth, $auth_data;
74
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    75
  
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    76
  if ( !$use_auth )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    77
    return true;
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    78
  
44
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    79
  if ( isset($_COOKIE['grey_session']) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    80
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    81
    load_session_data();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    82
    global $session_data;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    83
    if ( isset($session_data[$_COOKIE['grey_session']]) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    84
    {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    85
      // has a cookie with a valid session ID, check credentials
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    86
      $session =& $session_data[$_COOKIE['grey_session']];
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    87
      if ( isset($auth_data[$session['user']]) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    88
      {
74
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    89
        $password =& $auth_data[$session['user']];
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    90
        if ( $session['hash'] === hmac_md5($password, $session['salt']) )
44
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    91
        {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    92
          // session is valid, logged in
74
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
    93
          return $session['user'];
44
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    94
        }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    95
      }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    96
    }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    97
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    98
  return ( $use_auth ) ? false : true;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
    99
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   100
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   101
function login($username, $password)
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   102
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   103
  global $use_auth, $auth_data;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   104
  if ( !$use_auth )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   105
    return false;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   106
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   107
  if ( isset($auth_data[$username]) )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   108
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   109
    if ( $auth_data[$username] === $password )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   110
    {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   111
      return create_session($username, $password);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   112
    }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   113
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   114
  return false;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   115
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   116
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   117
function create_session($username, $password)
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   118
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   119
  load_session_data();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   120
  global $session_data;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   121
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   122
  $sessid = md5(sha1(microtime() . mt_rand()));
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   123
  $salt = md5(sha1(md5(mt_rand() . microtime() . microtime() . mt_rand())));
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   124
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   125
  $session_data[$sessid] = array(
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   126
      'user' => $username,
74
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   127
      'hash' => hmac_md5($password, $salt),
44
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   128
      'salt' => $salt
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   129
    );
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   130
  session_commit_db();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   131
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   132
  return $sessid;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   133
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   134
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   135
function var_export_string($arr)
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   136
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   137
  ob_start();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   138
  var_export($arr);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   139
  $r = ob_get_contents();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   140
  ob_end_clean();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   141
  return $r;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   142
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   143
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   144
function session_commit_db()
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   145
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   146
  global $session_data;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   147
  $d = var_export_string($session_data);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   148
  $fp = @fopen('./session_db.php', 'w');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   149
  if ( !$fp )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   150
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   151
    warning('Could not open the session database for writing. Logins may not work.');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   152
    return false;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   153
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   154
  $d = <<<EOF
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   155
<?php
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   156
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   157
// Automatically generated session database for Greyhound. Do not edit this file!
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   158
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   159
\$GLOBALS['session_data'] = $d;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   160
EOF;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   161
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   162
  fwrite($fp, $d);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   163
  fclose($fp);
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   164
  
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   165
  return true;
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   166
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   167
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   168
function load_session_data()
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   169
{
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   170
  if ( file_exists('./session_db.php') )
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   171
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   172
    require('./session_db.php');
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   173
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   174
  else
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   175
  {
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   176
    $GLOBALS['session_data'] = array();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   177
  }
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   178
}
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   179
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   180
$session_data = array();
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   181
74
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   182
/*
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   183
 * All this HMAC stuff is ported (ok, copied and pasted) from Enano.
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   184
 * Hey, I own the copyright on it.
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   185
 */
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   186
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   187
function hmac_core($message, $key, $hashfunc)
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   188
{
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   189
  if ( strlen($key) % 2 == 1 )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   190
    $key .= '0';
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   191
  
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   192
  if ( strlen($key) > 128 )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   193
    $key = $hashfunc($key);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   194
  
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   195
  while ( strlen($key) < 128 )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   196
  {
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   197
    $key .= '00';
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   198
  }
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   199
  $opad = hmac_hexbytearray($key);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   200
  $ipad = $opad;
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   201
  for ( $i = 0; $i < count($ipad); $i++ )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   202
  {
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   203
    $opad[$i] = $opad[$i] ^ 0x5c;
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   204
    $ipad[$i] = $ipad[$i] ^ 0x36;
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   205
  }
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   206
  $opad = hmac_bytearraytostring($opad);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   207
  $ipad = hmac_bytearraytostring($ipad);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   208
  return $hashfunc($opad . hexdecode($hashfunc($ipad . $message)));
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   209
}
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   210
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   211
function hmac_hexbytearray($val)
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   212
{
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   213
  $val = hexdecode($val);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   214
  return hmac_bytearray($val);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   215
}
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   216
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   217
function hmac_bytearray($val)
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   218
{
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   219
  $val = str_split($val, 1);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   220
  foreach ( $val as &$char )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   221
  {
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   222
    $char = ord($char);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   223
  }
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   224
  return $val;
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   225
}
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   226
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   227
function hmac_bytearraytostring($val)
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   228
{
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   229
  foreach ( $val as &$char )
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   230
  {
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   231
    $char = chr($char);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   232
  }
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   233
  return implode('', $val);
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   234
}
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   235
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   236
function hmac_md5($message, $key)
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   237
{
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   238
  return hmac_core($message, $key, 'md5');
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   239
}
7719085707d8 Security: Sessions are now based on HMAC-MD5 salts instead of concatenation
Dan
parents: 44
diff changeset
   240
44
92dd253f501c First shot at getting a session management system in place. Login and logout pages are there, and auth seems to be working and sufficiently secure for the moment. Sessions last indefinitely and are cookie-based.
Dan
parents:
diff changeset
   241
?>