示例#1
0
/**
 * Generate a random security token, prefixed by date, store it in the
 * user's session, and then return the string to be used as a form element
 * element with the security token as the value.
 * @param string Form name
 * @return string Security token string
 */
function form_security_token( $p_form_name ) {
	if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
		return '';
	}

	$t_tokens = session_get( 'form_security_tokens', array() );

	# Create a new array for the form name if necessary
	if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) ) {
		$t_tokens[$p_form_name] = array();
	}

	# Generate a nonce prefixed by date.
	# With a base64 output encoded nonce length of 32 characters, we are
	# generating a 192bit nonce.
	$t_date = date( 'Ymd' );
	$t_string = $t_date . crypto_generate_uri_safe_nonce( 32 );

	# Add the token to the user's session
	if ( !isset( $t_tokens[$p_form_name][$t_date] ) ) {
		$t_tokens[$p_form_name][$t_date] = array();
	}

	$t_tokens[$p_form_name][$t_date][$t_string] = true;
	session_set( 'form_security_tokens', $t_tokens );

	# The token string
	return $t_string;
}
示例#2
0
/**
 * Create an API token
 *
 * @param string $p_token_name The name (description) identifying what the token is going to be used for.
 * @param integer $p_user_id The user id.
 * @return string The plain token.
 * @access public
 */
function api_token_create($p_token_name, $p_user_id)
{
    if (is_blank($p_token_name)) {
        error_parameters(lang_get('api_token_name'));
        trigger_error(ERROR_EMPTY_FIELD, ERROR);
    }
    $t_token_name = trim($p_token_name);
    if (utf8_strlen($t_token_name) > DB_FIELD_SIZE_API_TOKEN_NAME) {
        error_parameters(lang_get('api_token_name'), DB_FIELD_SIZE_API_TOKEN_NAME);
        trigger_error(ERROR_FIELD_TOO_LONG, ERROR);
    }
    api_token_name_ensure_unique($t_token_name, $p_user_id);
    $t_plain_token = crypto_generate_uri_safe_nonce(API_TOKEN_LENGTH);
    $t_hash = api_token_hash($t_plain_token);
    $t_date_created = db_now();
    $t_query = 'INSERT INTO {api_token}
					( user_id, name, hash, date_created )
					VALUES ( ' . db_param() . ', ' . db_param() . ', ' . db_param() . ', ' . db_param() . ' )';
    db_query($t_query, array($p_user_id, (string) $t_token_name, $t_hash, $t_date_created));
    return $t_plain_token;
}
示例#3
0
require_api('form_api.php');
require_api('helper_api.php');
require_api('html_api.php');
require_api('lang_api.php');
require_api('print_api.php');
require_api('utility_api.php');
require_css('login.css');
# Check for invalid access to signup page
if (OFF == config_get_global('allow_signup') || LDAP == config_get_global('login_method')) {
    print_header_redirect('login_page.php');
}
# signup page shouldn't be indexed by search engines
html_robots_noindex();
html_page_top1();
html_page_top2a();
$t_public_key = crypto_generate_uri_safe_nonce(64);
?>

<div id="signup-div" class="form-container">
	<form id="signup-form" method="post" action="signup.php">
		<fieldset>
			<legend><span><?php 
echo lang_get('signup_title');
?>
</span></legend>
			<?php 
echo form_security_field('signup');
?>
			<ul id="login-links">
			<li><a href="login_page.php"><?php 
echo lang_get('login_link');
示例#4
0
/**
 * Generate a random and unique string to use as the identifier for the login
 * cookie.
 * @return string Random and unique 384bit cookie string of encoded according to the base64 with URI safe alphabet approach described in RFC4648
 * @access public
 */
function auth_generate_unique_cookie_string()
{
    do {
        $t_cookie_string = crypto_generate_uri_safe_nonce(64);
    } while (!auth_is_cookie_string_unique($t_cookie_string));
    return $t_cookie_string;
}