[Cs-webapplibs-commits] SF.net SVN: cs-webapplibs:[125] trunk/0.3
Status: Beta
Brought to you by:
crazedsanity
Menu
▾
▴
[Cs-webapplibs-commits] SF.net SVN: cs-webapplibs:[125] trunk/0.3
|
From: <cra...@us...> - 2009-08-20 18:47:12
|
Revision: 125
http://cs-webapplibs.svn.sourceforge.net/cs-webapplibs/?rev=125&view=rev
Author: crazedsanity
Date: 2009-08-20 18:47:04 +0000 (Thu, 20 Aug 2009)
Log Message:
-----------
Make hash unguessable.
NOTE::: the last commit missed cs_authToken.class.php, so this looks a bit
like a duplicate.
NOTE2:: the hash could be encrypted using SHA-1, using the function sha1(),
though this would possibly hinder using it for cs_sessionDB{}...?
/cs_authToken.class.php:
* create_token():
-- add microtime() and a random number to the hash string for better
unguessability.
* authenticate_token():
-- check length of the array from get_token_data(), and make sure the
checksums match (the checksum match was incomplete, must've been
distracted or something).
* get_token_data():
-- remove initial index (of $tokenId) for simpler checking.
-- add exception if the $tokenId index isn't there.
/tests/testOfCSWebAppLibs.php:
* test_token_basics():
-- test to ensure the token's hash isn't guessable.
* authTokenTester::doHash() [NEW]:
-- calls cs_authToken::create_hash_string().
Modified Paths:
--------------
trunk/0.3/cs_authToken.class.php
trunk/0.3/tests/testOfCSWebAppLibs.php
Modified: trunk/0.3/cs_authToken.class.php
===================================================================
--- trunk/0.3/cs_authToken.class.php 2009-08-20 18:15:30 UTC (rev 124)
+++ trunk/0.3/cs_authToken.class.php 2009-08-20 18:47:04 UTC (rev 125)
@@ -103,6 +103,7 @@
$tokenId = $this->db->run_insert($sql, $this->seq);
//now that we have the ID, let's create the real has string.
+ $stringToHash .= microtime(true) ."__". rand(1000, 9999999);
$finalHash = $this->create_hash_string($tokenId, $uid, $checksum, $stringToHash);
$this->_generic_update($tokenId, "token='". $finalHash ."'");
@@ -199,10 +200,9 @@
try {
$data = $this->get_token_data($tokenId);
- if(count($data) == 1 && isset($data[$tokenId]) && is_array($data[$tokenId])) {
- $data = $data[$tokenId];
+ if(count($data) == 9 && is_array($data) && isset($data['auth_token_id'])) {
- if($data['token'] == $hash && $data['checksum']) {
+ if($data['token'] == $hash && $data['checksum'] == $checksum) {
$methodCall = 'update_token_uses';
if(is_numeric($data['max_uses'])) {
@@ -265,7 +265,12 @@
$data = $this->db->run_query($sql, 'auth_token_id');
if(is_array($data) && count($data) == 1) {
- $tokenData = $data;
+ if(isset($data[$tokenId])) {
+ $tokenData = $data[$tokenId];
+ }
+ else {
+ throw new exception("missing sub-array for tokenId (". $tokenId .")");
+ }
}
elseif($data === false) {
$tokenData = false;
Modified: trunk/0.3/tests/testOfCSWebAppLibs.php
===================================================================
--- trunk/0.3/tests/testOfCSWebAppLibs.php 2009-08-20 18:15:30 UTC (rev 124)
+++ trunk/0.3/tests/testOfCSWebAppLibs.php 2009-08-20 18:47:04 UTC (rev 125)
@@ -165,6 +165,19 @@
$this->assertEqual($uniq, ($numTests -1));
}
}
+
+ //make sure the hash string isn't guessable, even if they can access our super-secret encryption algorithm. ;)
+ {
+ $uid = rand(1,99999);
+ $checksum = "my birfday";
+ $hashThis = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque ut.";
+
+ $tokenData = $tok->create_token($uid, $checksum, $hashThis);
+ $this->basic_token_tests($tokenData, $uid, $checksum);
+
+ $this->assertNotEqual($tokenData['hash'], $tok->doHash($tokenData['id'], $uid, $checksum, $hashThis),
+ "hash is guessable");
+ }
}//end test_token_basics()
//--------------------------------------------------------------------------
@@ -194,5 +207,8 @@
public function tokenData($id, $onlyNonExpired=true) {
return($this->get_token_data($id, $onlyNonExpired));
}
+ public function doHash($tokenId, $uid, $checksum, $hash) {
+ return($this->create_hash_string($tokenId, $uid, $checksum, $hash));
+ }
}
?>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
