/** * Confirm an authorisation key is valid * * See description of xarSecGenAuthKey for information on * this function * * @access public * @param string authIdVarName * @return bool true if the key is valid, false if it is not * @throws FORBIDDEN_OPERATION * @todo bring back possibility of time authorized keys */ function confirmAuthKey($modName = NULL, $authIdVarName = 'authid') { if (!isset($modName)) { list($modName) = wbRequest::getController(); } $authid = wbRequest::getVar($authIdVarName); $rands = wbSession::getVar('rand'); $now = time(); srand((double) microtime() * 1000000); // convert single rand to array of "timestamp-rand()" strings if (!is_array($rands)) { $rands = array(); // session integrity: only keep most recent 64 values $rands = array_slice($rands, -64); wbSession::setVar('rand', $rands); } // needed in foreach to expire old rand values $age = wbConfig::get('Session.InactivityTimeout') * 60; // convert minutes to seconds // loop through the rands array to find a match foreach ($rands as $r => $rnd) { list($timestamp, $rndval) = explode('-', $rnd, 2); // ignore and get rid of random values older than session activity timeout if ($now - $age > $timestamp) { unset($rands[$r]); continue; } // Regenerate static part of key $partkey = $rndval . strtolower($modName); if (md5($partkey) == $authid) { // Match - get rid of it and leave happy unset($rands[$r]); // session integrity: only keep most recent 64 values $rands = array_slice($rands, -64); wbSession::setVar('rand', $rands); return true; } } throw new Exception("<p>Operasi yang anda coba lakukan tidak diperkenankan dalam kondisi ini.</p>Anda mungkin telah menekan tombol Back atau Reload pada browser dan mencoba kembali operasi yang tidak boleh diulang, atau cookie tidak diaktifkan pada browser anda"); return false; }