diff options
author | Andrew Dolgov <[email protected]> | 2011-03-28 08:30:00 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2011-03-28 08:30:15 +0400 |
commit | 3d72afa19a7e8e7f7691086dedba7c5f9631f42f (patch) | |
tree | 397f1e5936935122f0f023819fef26fbf1613cb4 /functions.php | |
parent | f98252f27cb979f5285b65908b1b24a913b1af81 (diff) |
use SSL serial to bind certificate to user; implement autologin using SSL certificate; set a separate session cookie for SSL connections (refs #324)
Diffstat (limited to 'functions.php')
-rw-r--r-- | functions.php | 42 |
1 files changed, 34 insertions, 8 deletions
diff --git a/functions.php b/functions.php index ed4438367..51731fa6e 100644 --- a/functions.php +++ b/functions.php @@ -1757,11 +1757,29 @@ return true; } + function get_login_by_ssl_certificate($link) { + + $cert_serial = db_escape_string($_SERVER["REDIRECT_SSL_CLIENT_M_SERIAL"]); + + if ($cert_serial) { + $result = db_query($link, "SELECT login FROM ttrss_user_prefs, ttrss_users + WHERE pref_name = 'SSL_CERT_SERIAL' AND value = '$cert_serial' AND + owner_uid = ttrss_users.id"); + + if (db_num_rows($result) != 0) { + return db_escape_string(db_fetch_result($result, 0, "login")); + } + } + + return ""; + } + function get_remote_user() { - $remote_user = $_SERVER["REMOTE_USER"]; + $remote_user = ""; - if (!$remote_user) - $remote_user = $_SERVER["REDIRECT_SSL_CLIENT_S_DN_CN"]; + if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH) { + $remote_user = $_SERVER["REMOTE_USER"]; + } return db_escape_string($remote_user); } @@ -1781,10 +1799,14 @@ $pwd_hash2 = encrypt_password($password, $login); $login = db_escape_string($login); - if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH - && get_remote_user() && $login != "admin") { + $remote_user = get_remote_user(); + + if (!$remote_user) + $remote_user = get_login_by_ssl_certificate($link); - $login = db_escape_string(get_remote_user()); + if ($remote_user && $login != "admin") { + + $login = $remote_user; $query = "SELECT id,login,access_level,pwd_hash FROM ttrss_users WHERE @@ -1974,8 +1996,12 @@ } if (!$_SESSION["uid"] || !validate_session($link)) { - if (defined('ALLOW_REMOTE_USER_AUTH') && ALLOW_REMOTE_USER_AUTH - && get_remote_user() && defined('AUTO_LOGIN') && AUTO_LOGIN) { + $cert_login = get_login_by_ssl_certificate($link); + + if ($cert_login) { + authenticate_user($link, $cert_login, null); + $_SESSION["ref_schema_version"] = get_schema_version($link, true); + } else if (get_remote_user() && AUTO_LOGIN) { authenticate_user($link, get_remote_user(), null); $_SESSION["ref_schema_version"] = get_schema_version($link, true); } else { |