Added nonfunctional workflow for crossdomain cookies
This commit is contained in:
djpbessems
@@ -83,8 +83,10 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt
|
||||
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
|
||||
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
|
||||
}))[0];
|
||||
if (setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
|
||||
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
|
||||
return ['status' => 'Success'];
|
||||
} else {
|
||||
return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)'];
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -23,9 +23,6 @@ return (object) array(
|
||||
// Relative path to the location where the database should be stored
|
||||
],
|
||||
|
||||
'ApiKeyFile' => 'externalResource.api.key',
|
||||
// File containing your <externalresource> token
|
||||
|
||||
'JWT' => [
|
||||
'PrivateKey_base64' => '',
|
||||
// A base64-encoded random (preferably long) string (see https://www.base64encode.org/)
|
||||
@@ -35,8 +32,11 @@ return (object) array(
|
||||
],
|
||||
|
||||
'Session' => [
|
||||
'Duration' => 2592000,
|
||||
'Duration' => 2592000,
|
||||
// In seconds (2592000 is equivalent to 30 days)
|
||||
'CrossDomainLogin' => False,
|
||||
// Set this to True if SingleSignOn (albeit rudementary) is desired
|
||||
// (cookies are inheritently unaware of each other; clearing cookies for one domain does not affect other domains)
|
||||
'CookieDomains' => [
|
||||
'domain1.tld' #, 'domain2.tld', 'subdomain.domain3.tld'
|
||||
]
|
||||
@@ -45,10 +45,9 @@ return (object) array(
|
||||
],
|
||||
|
||||
'Debug' => [
|
||||
'Verbose' => False,
|
||||
'Verbose' => False,
|
||||
'LogToFile' => False
|
||||
]
|
||||
|
||||
);
|
||||
|
||||
?>
|
||||
@@ -26,7 +26,7 @@
|
||||
$originalUri = !empty($proxyHeaders) ? $proxyHeaders['XForwardedProto'] . '://' . $proxyHeaders['XForwardedHost'] . $proxyHeaders['XForwardedUri'] : 'lucidAuth.manage.php';
|
||||
|
||||
// Since this action is only ever called through an AJAX-request; return JSON object
|
||||
echo '{"Result":"Success","Location":"' . $originalUri . '"}' . PHP_EOL;
|
||||
echo sprintf('{"Result":"Success","Location":"%1$s","CrossDomainLogin":%2$s}', $originalUri, $settings->Session['CrossDomainLogin'] ? 'True' : 'False') . PHP_EOL;
|
||||
} else {
|
||||
switch ($result['reason']) {
|
||||
case '1':
|
||||
|
||||
18
public/lucidAuth.setXDomainCookie.php
Normal file
18
public/lucidAuth.setXDomainCookie.php
Normal file
@@ -0,0 +1,18 @@
|
||||
<?php
|
||||
error_reporting(E_ALL ^ E_NOTICE);
|
||||
|
||||
include_once('../include/lucidAuth.functions.php');
|
||||
|
||||
// Start with checking $_REQUEST['ref']
|
||||
// What do we need?
|
||||
// token again?
|
||||
|
||||
// approach 1:
|
||||
// origin domain, so we can intersect with $settings->Session['CookieDomains'] and iterate through the remaining domains, serving them in one page (which contains iframes already)
|
||||
// this might be slower because it means one additional roundtrip between client and server
|
||||
|
||||
// approach 2:
|
||||
// let the client setup multiple iframes for all domains other than origin domains
|
||||
// this requires passing an array of domains to the client in asynchronous reply; which feels insecure
|
||||
|
||||
?>
|
||||
@@ -1,7 +1,7 @@
|
||||
$(document).ready(function(){
|
||||
// Allow user to press enter to submit credentials
|
||||
$('#username, #password').keypress(function(event) {
|
||||
if (event.which == 13) {
|
||||
if (event.which === 13) {
|
||||
$('#btnlogin').trigger('click');
|
||||
}
|
||||
});
|
||||
@@ -26,16 +26,20 @@ $(document).ready(function(){
|
||||
catch (e) {
|
||||
console.log(data);
|
||||
}
|
||||
if (ajaxData.Result == 'Success') {
|
||||
if (ajaxData.Result === 'Success') {
|
||||
$('#btnlogin').css({
|
||||
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
|
||||
'transform': 'rotateX(0deg)'
|
||||
});
|
||||
setTimeout(function() {
|
||||
$('#btnsync').prop('disabled', false).css({
|
||||
$('#btnlogin').prop('disabled', false).css({
|
||||
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
|
||||
'color': '#FFF'
|
||||
});
|
||||
if (ajaxData.CrossDomainLogin) {
|
||||
// Create iframes for other domains
|
||||
console.log('CrossDomainLogin initiated');
|
||||
}
|
||||
window.location.replace(ajaxData.Location);
|
||||
}, 2250);
|
||||
} else {
|
||||
@@ -44,7 +48,7 @@ $(document).ready(function(){
|
||||
'transform': 'rotateX(0deg)'
|
||||
});
|
||||
setTimeout(function() {
|
||||
$('#btnsync').prop('disabled', false).css({
|
||||
$('#btnlogin').prop('disabled', false).css({
|
||||
'background': '#B50000 linear-gradient(0deg, rgba(255,255,255,0) 0%, rgba(255,255,255,0) 50%, rgba(255,255,255,0.25) 51%) no-repeat center',
|
||||
'color': '#FFF'
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user