[geeklog-devel] Prototype fix for expiring security tokens (was: geeklog: Experimental: Give the user an idea how long they have ...)

Dirk Haun dirk at haun-online.de
Sun Dec 20 14:16:39 EST 2009


Dirk Haun wrote:

>>and, if it expires, make them submit their password again.
>
>Yes, that's the best solution to the problem I've heard so far and
>should be the final goal. But, as I said, this message is meant as an
>intermediate step. Fixing the editors, including the password check,
>etc. is a lot of (tedious) work and I don't see it happening anytime
>soon.

Well, I think I found a nice solution to the problem of expiring
security tokens that doesn't require rewriting all the editors: Let
SEC_checkToken() do all the work.

Attached is a prototype implementation that contains 3 drop-in
replacement files for Geeklog 1.6.1 (admin/configuration.php is only
included since it didn't use SEC_checkToken() correctly).

How does it work? When SEC_checkToken() finds that the token isn't
valid, it displays a form asking the user to authenticate again. If that
is successful, the original request is recreated and sent again with a
new token.

Known limitations:
- prototype code includes hard-coded text strings
- doesn't work with OpenID (but should work with other remote auth modules)
- haven't tested with file uploads - probably loses them

To test: Copy the 3 files over their 1.6.1 equivalents. Call up any
editor (e.g. story editor), wait until token expires (or empty the
gl_tokens table), try to save. Follow the instructions and rejoice :)

Feedback welcome.

bye, Dirk


-- 
http://www.geeklog.net/
http://geeklog.info/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: prototype.tar.gz
Type: application/x-gzip
Size: 25222 bytes
Desc: not available
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20091220/fc1900de/attachment.bin>


More information about the geeklog-devel mailing list