Added nonfunctional workflow for crossdomain cookies

This commit is contained in:
djpbessems 2019-02-22 11:28:42 +01:00
parent 2776d1b421
commit d9e53fce49
5 changed files with 37 additions and 14 deletions

View File

@ -83,8 +83,10 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
}))[0];
if (setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
return ['status' => 'Success'];
} else {
return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)'];
}
}

View File

@ -22,10 +22,7 @@ return (object) array(
'Path' => '../data/lucidAuth.sqlite.db'
// Relative path to the location where the database should be stored
],
'ApiKeyFile' => 'externalResource.api.key',
// File containing your <externalresource> token
'JWT' => [
'PrivateKey_base64' => '',
// A base64-encoded random (preferably long) string (see https://www.base64encode.org/)
@ -35,20 +32,22 @@ return (object) array(
],
'Session' => [
'Duration' => 2592000,
'Duration' => 2592000,
// In seconds (2592000 is equivalent to 30 days)
'CrossDomainLogin' => False,
// Set this to True if SingleSignOn (albeit rudementary) is desired
// (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains)
'CookieDomains' => [
'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld'
]
// Domain(s) that will be used to set cookie-domains to
// (multiple domains are allowed; remove the '#' above)
],
'Debug' => [
'Verbose' => False,
'Verbose' => False,
'LogToFile' => False
]
);
?>

View File

@ -26,7 +26,7 @@
$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';
// Since this action is only ever called through an AJAX-request; return JSON object
echo '{"Result":"Success","Location":"' . $originalUri . '"}' . PHP_EOL;
echo sprintf('{"Result":"Success","Location":"%1$s","CrossDomainLogin":%2$s}', $originalUri, $settings->Session['CrossDomainLogin'] ? 'True' : 'False') . PHP_EOL;
} else {
switch ($result['reason']) {
case '1':

View File

@ -0,0 +1,18 @@
<?php
error_reporting(E_ALL ^ E_NOTICE);
include_once('../include/lucidAuth.functions.php');
// Start with checking $_REQUEST['ref']
// What do we need?
// token again?
// approach 1:
// origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already)
// this might be slower because it means one additional roundtrip between client and server
// approach 2:
// let the client setup multiple iframes for all domains other than origin domains
// this requires passing an array of domains to the client in asynchronous reply; which feels insecure
?>

View File

@ -1,7 +1,7 @@
$(document).ready(function(){
// Allow user to press enter to submit credentials
$('#username, #password').keypress(function(event) {
if (event.which == 13) {
if (event.which === 13) {
$('#btnlogin').trigger('click');
}
});
@ -26,16 +26,20 @@ $(document).ready(function(){
catch (e) {
console.log(data);
}
if (ajaxData.Result == 'Success') {
if (ajaxData.Result === 'Success') {
$('#btnlogin').css({
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
'transform': 'rotateX(0deg)'
});
setTimeout(function() {
$('#btnsync').prop('disabled', false).css({
$('#btnlogin').prop('disabled', false).css({
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
'color': '#FFF'
});
if (ajaxData.CrossDomainLogin) {
// Create iframes for other domains
console.log('CrossDomainLogin initiated');
}
window.location.replace(ajaxData.Location);
}, 2250);
} else {
@ -44,7 +48,7 @@ $(document).ready(function(){
'transform': 'rotateX(0deg)'
});
setTimeout(function() {
$('#btnsync').prop('disabled', false).css({
$('#btnlogin').prop('disabled', false).css({
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
'color': '#FFF'
});