Added nonfunctional workflow for crossdomain cookies
This commit is contained in:
djpbessems
@@ -83,8 +83,10 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt
|
|||||||
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
|
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
|
||||||
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
|
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
|
||||||
}))[0];
|
}))[0];
|
||||||
if (setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
|
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
|
||||||
return ['status' => 'Success'];
|
return ['status' => 'Success'];
|
||||||
|
} else {
|
||||||
|
return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)'];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -23,9 +23,6 @@ return (object) array(
|
|||||||
// Relative path to the location where the database should be stored
|
// Relative path to the location where the database should be stored
|
||||||
],
|
],
|
||||||
|
|
||||||
'ApiKeyFile' => 'externalResource.api.key',
|
|
||||||
// File containing your <externalresource> token
|
|
||||||
|
|
||||||
'JWT' => [
|
'JWT' => [
|
||||||
'PrivateKey_base64' => '',
|
'PrivateKey_base64' => '',
|
||||||
// A base64-encoded random (preferably long) string (see https://www.base64encode.org/)
|
// A base64-encoded random (preferably long) string (see https://www.base64encode.org/)
|
||||||
@@ -35,8 +32,11 @@ return (object) array(
|
|||||||
],
|
],
|
||||||
|
|
||||||
'Session' => [
|
'Session' => [
|
||||||
'Duration' => 2592000,
|
'Duration' => 2592000,
|
||||||
// In seconds (2592000 is equivalent to 30 days)
|
// In seconds (2592000 is equivalent to 30 days)
|
||||||
|
'CrossDomainLogin' => False,
|
||||||
|
// Set this to True if SingleSignOn (albeit rudementary) is desired
|
||||||
|
// (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains)
|
||||||
'CookieDomains' => [
|
'CookieDomains' => [
|
||||||
'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld'
|
'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld'
|
||||||
]
|
]
|
||||||
@@ -45,10 +45,9 @@ return (object) array(
|
|||||||
],
|
],
|
||||||
|
|
||||||
'Debug' => [
|
'Debug' => [
|
||||||
'Verbose' => False,
|
'Verbose' => False,
|
||||||
'LogToFile' => False
|
'LogToFile' => False
|
||||||
]
|
]
|
||||||
|
|
||||||
);
|
);
|
||||||
|
|
||||||
?>
|
?>
|
||||||
@@ -26,7 +26,7 @@
|
|||||||
$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';
|
$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';
|
||||||
|
|
||||||
// Since this action is only ever called through an AJAX-request; return JSON object
|
// Since this action is only ever called through an AJAX-request; return JSON object
|
||||||
echo '{"Result":"Success","Location":"' . $originalUri . '"}' . PHP_EOL;
|
echo sprintf('{"Result":"Success","Location":"%1$s","CrossDomainLogin":%2$s}', $originalUri, $settings->Session['CrossDomainLogin'] ? 'True' : 'False') . PHP_EOL;
|
||||||
} else {
|
} else {
|
||||||
switch ($result['reason']) {
|
switch ($result['reason']) {
|
||||||
case '1':
|
case '1':
|
||||||
|
|||||||
18
public/lucidAuth.setXDomainCookie.php
Normal file
18
public/lucidAuth.setXDomainCookie.php
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
<?php
|
||||||
|
error_reporting(E_ALL ^ E_NOTICE);
|
||||||
|
|
||||||
|
include_once('../include/lucidAuth.functions.php');
|
||||||
|
|
||||||
|
// Start with checking $_REQUEST['ref']
|
||||||
|
// What do we need?
|
||||||
|
// token again?
|
||||||
|
|
||||||
|
// approach 1:
|
||||||
|
// origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already)
|
||||||
|
// this might be slower because it means one additional roundtrip between client and server
|
||||||
|
|
||||||
|
// approach 2:
|
||||||
|
// let the client setup multiple iframes for all domains other than origin domains
|
||||||
|
// this requires passing an array of domains to the client in asynchronous reply; which feels insecure
|
||||||
|
|
||||||
|
?>
|
||||||
@@ -1,7 +1,7 @@
|
|||||||
$(document).ready(function(){
|
$(document).ready(function(){
|
||||||
// Allow user to press enter to submit credentials
|
// Allow user to press enter to submit credentials
|
||||||
$('#username, #password').keypress(function(event) {
|
$('#username, #password').keypress(function(event) {
|
||||||
if (event.which == 13) {
|
if (event.which === 13) {
|
||||||
$('#btnlogin').trigger('click');
|
$('#btnlogin').trigger('click');
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
@@ -26,16 +26,20 @@ $(document).ready(function(){
|
|||||||
catch (e) {
|
catch (e) {
|
||||||
console.log(data);
|
console.log(data);
|
||||||
}
|
}
|
||||||
if (ajaxData.Result == 'Success') {
|
if (ajaxData.Result === 'Success') {
|
||||||
$('#btnlogin').css({
|
$('#btnlogin').css({
|
||||||
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
|
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
|
||||||
'transform': 'rotateX(0deg)'
|
'transform': 'rotateX(0deg)'
|
||||||
});
|
});
|
||||||
setTimeout(function() {
|
setTimeout(function() {
|
||||||
$('#btnsync').prop('disabled', false).css({
|
$('#btnlogin').prop('disabled', false).css({
|
||||||
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
|
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
|
||||||
'color': '#FFF'
|
'color': '#FFF'
|
||||||
});
|
});
|
||||||
|
if (ajaxData.CrossDomainLogin) {
|
||||||
|
// Create iframes for other domains
|
||||||
|
console.log('CrossDomainLogin initiated');
|
||||||
|
}
|
||||||
window.location.replace(ajaxData.Location);
|
window.location.replace(ajaxData.Location);
|
||||||
}, 2250);
|
}, 2250);
|
||||||
} else {
|
} else {
|
||||||
@@ -44,7 +48,7 @@ $(document).ready(function(){
|
|||||||
'transform': 'rotateX(0deg)'
|
'transform': 'rotateX(0deg)'
|
||||||
});
|
});
|
||||||
setTimeout(function() {
|
setTimeout(function() {
|
||||||
$('#btnsync').prop('disabled', false).css({
|
$('#btnlogin').prop('disabled', false).css({
|
||||||
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
|
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
|
||||||
'color': '#FFF'
|
'color': '#FFF'
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user