/**
* Generate a random security token, prefixed by date, store it in the
* user's session, and then return the string to be used as a form element
* element with the security token as the value.
* @param string Form name
* @return string Security token string
*/
function form_security_token( $p_form_name ) {
if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
return '';
}
$t_tokens = session_get( 'form_security_tokens', array() );
# Create a new array for the form name if necessary
if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) ) {
$t_tokens[$p_form_name] = array();
}
# Generate a nonce prefixed by date.
# With a base64 output encoded nonce length of 32 characters, we are
# generating a 192bit nonce.
$t_date = date( 'Ymd' );
$t_string = $t_date . crypto_generate_uri_safe_nonce( 32 );
# Add the token to the user's session
if ( !isset( $t_tokens[$p_form_name][$t_date] ) ) {
$t_tokens[$p_form_name][$t_date] = array();
}
$t_tokens[$p_form_name][$t_date][$t_string] = true;
session_set( 'form_security_tokens', $t_tokens );
# The token string
return $t_string;
}
/**
* Create an API token
*
* @param string $p_token_name The name (description) identifying what the token is going to be used for.
* @param integer $p_user_id The user id.
* @return string The plain token.
* @access public
*/
function api_token_create($p_token_name, $p_user_id)
{
if (is_blank($p_token_name)) {
error_parameters(lang_get('api_token_name'));
trigger_error(ERROR_EMPTY_FIELD, ERROR);
}
$t_token_name = trim($p_token_name);
if (utf8_strlen($t_token_name) > DB_FIELD_SIZE_API_TOKEN_NAME) {
error_parameters(lang_get('api_token_name'), DB_FIELD_SIZE_API_TOKEN_NAME);
trigger_error(ERROR_FIELD_TOO_LONG, ERROR);
}
api_token_name_ensure_unique($t_token_name, $p_user_id);
$t_plain_token = crypto_generate_uri_safe_nonce(API_TOKEN_LENGTH);
$t_hash = api_token_hash($t_plain_token);
$t_date_created = db_now();
$t_query = 'INSERT INTO {api_token}
( user_id, name, hash, date_created )
VALUES ( ' . db_param() . ', ' . db_param() . ', ' . db_param() . ', ' . db_param() . ' )';
db_query($t_query, array($p_user_id, (string) $t_token_name, $t_hash, $t_date_created));
return $t_plain_token;
}
require_api('form_api.php');
require_api('helper_api.php');
require_api('html_api.php');
require_api('lang_api.php');
require_api('print_api.php');
require_api('utility_api.php');
require_css('login.css');
# Check for invalid access to signup page
if (OFF == config_get_global('allow_signup') || LDAP == config_get_global('login_method')) {
print_header_redirect('login_page.php');
}
# signup page shouldn't be indexed by search engines
html_robots_noindex();
html_page_top1();
html_page_top2a();
$t_public_key = crypto_generate_uri_safe_nonce(64);
?>
<div id="signup-div" class="form-container">
<form id="signup-form" method="post" action="signup.php">
<fieldset>
<legend><span><?php
echo lang_get('signup_title');
?>
</span></legend>
<?php
echo form_security_field('signup');
?>
<ul id="login-links">
<li><a href="login_page.php"><?php
echo lang_get('login_link');
/**
* Generate a random and unique string to use as the identifier for the login
* cookie.
* @return string Random and unique 384bit cookie string of encoded according to the base64 with URI safe alphabet approach described in RFC4648
* @access public
*/
function auth_generate_unique_cookie_string()
{
do {
$t_cookie_string = crypto_generate_uri_safe_nonce(64);
} while (!auth_is_cookie_string_unique($t_cookie_string));
return $t_cookie_string;
}
