Added nonfunctional workflow for crossdomain cookies

This commit is contained in:
djpbessems 2019-02-22 11:28:42 +01:00
parent 2776d1b421
commit d9e53fce49
5 changed files with 37 additions and 14 deletions

View File

@ -83,8 +83,10 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks // This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
}))[0]; }))[0];
if (setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) { if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
return ['status' => 'Success']; return ['status' => 'Success'];
} else {
return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)'];
} }
} }

View File

@ -23,9 +23,6 @@ return (object) array(
// Relative path to the location where the database should be stored // Relative path to the location where the database should be stored
], ],
'ApiKeyFile' => 'externalResource.api.key',
// File containing your <externalresource> token
'JWT' => [ 'JWT' => [
'PrivateKey_base64' => '', 'PrivateKey_base64' => '',
// A base64-encoded random (preferably long) string (see https://www.base64encode.org/) // A base64-encoded random (preferably long) string (see https://www.base64encode.org/)
@ -35,8 +32,11 @@ return (object) array(
], ],
'Session' => [ 'Session' => [
'Duration' => 2592000, 'Duration' => 2592000,
// In seconds (2592000 is equivalent to 30 days) // In seconds (2592000 is equivalent to 30 days)
'CrossDomainLogin' => False,
// Set this to True if SingleSignOn (albeit rudementary) is desired
// (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains)
'CookieDomains' => [ 'CookieDomains' => [
'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld' 'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld'
] ]
@ -45,10 +45,9 @@ return (object) array(
], ],
'Debug' => [ 'Debug' => [
'Verbose' => False, 'Verbose' => False,
'LogToFile' => False 'LogToFile' => False
] ]
); );
?> ?>

View File

@ -26,7 +26,7 @@
$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php'; $originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';
// Since this action is only ever called through an AJAX-request; return JSON object // Since this action is only ever called through an AJAX-request; return JSON object
echo '{"Result":"Success","Location":"' . $originalUri . '"}' . PHP_EOL; echo sprintf('{"Result":"Success","Location":"%1$s","CrossDomainLogin":%2$s}', $originalUri, $settings->Session['CrossDomainLogin'] ? 'True' : 'False') . PHP_EOL;
} else { } else {
switch ($result['reason']) { switch ($result['reason']) {
case '1': case '1':

View File

@ -0,0 +1,18 @@
<?php
error_reporting(E_ALL ^ E_NOTICE);
include_once('../include/lucidAuth.functions.php');
// Start with checking $_REQUEST['ref']
// What do we need?
// token again?
// approach 1:
// origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already)
// this might be slower because it means one additional roundtrip between client and server
// approach 2:
// let the client setup multiple iframes for all domains other than origin domains
// this requires passing an array of domains to the client in asynchronous reply; which feels insecure
?>

View File

@ -1,7 +1,7 @@
$(document).ready(function(){ $(document).ready(function(){
// Allow user to press enter to submit credentials // Allow user to press enter to submit credentials
$('#username, #password').keypress(function(event) { $('#username, #password').keypress(function(event) {
if (event.which == 13) { if (event.which === 13) {
$('#btnlogin').trigger('click'); $('#btnlogin').trigger('click');
} }
}); });
@ -26,16 +26,20 @@ $(document).ready(function(){
catch (e) { catch (e) {
console.log(data); console.log(data);
} }
if (ajaxData.Result == 'Success') { if (ajaxData.Result === 'Success') {
$('#btnlogin').css({ $('#btnlogin').css({
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center', 'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
'transform': 'rotateX(0deg)' 'transform': 'rotateX(0deg)'
}); });
setTimeout(function() { setTimeout(function() {
$('#btnsync').prop('disabled', false).css({ $('#btnlogin').prop('disabled', false).css({
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center', 'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
'color': '#FFF' 'color': '#FFF'
}); });
if (ajaxData.CrossDomainLogin) {
// Create iframes for other domains
console.log('CrossDomainLogin initiated');
}
window.location.replace(ajaxData.Location); window.location.replace(ajaxData.Location);
}, 2250); }, 2250);
} else { } else {
@ -44,7 +48,7 @@ $(document).ready(function(){
'transform': 'rotateX(0deg)' 'transform': 'rotateX(0deg)'
}); });
setTimeout(function() { setTimeout(function() {
$('#btnsync').prop('disabled', false).css({ $('#btnlogin').prop('disabled', false).css({
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center', 'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
'color': '#FFF' 'color': '#FFF'
}); });