Only generate auth hash when logged in.

This commit is contained in:
Isaac Connor 2016-10-03 21:22:16 -04:00
parent f4418260e7
commit d4be5b06ea
1 changed files with 17 additions and 18 deletions

View File

@ -141,30 +141,29 @@ function getAuthUser( $auth ) {
} }
function generateAuthHash( $useRemoteAddr ) { function generateAuthHash( $useRemoteAddr ) {
if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == "hashed" ) { if ( ZM_OPT_USE_AUTH and ZM_AUTH_RELAY == 'hashed' and $_SESSION['username'] and $_SESSION['passwordHash'] ) {
# regenerate a hash at half the liftetime of a hash, an hour is 3600 so half is 1800 # regenerate a hash at half the liftetime of a hash, an hour is 3600 so half is 1800
if ( ( $_SESSION['AuthHashGeneratedAt'] < time() - ( ZM_AUTH_HASH_TTL * 1800 ) ) or ! isset($_SESSION['AuthHash']) ) { if ( ( $_SESSION['AuthHashGeneratedAt'] < time() - ( ZM_AUTH_HASH_TTL * 1800 ) ) or ! isset($_SESSION['AuthHash']) ) {
if ( ! ( $_SESSION['username'] and $_SESSION['passwordHash'] ) ) { # Don't both regenerating Auth Hash if an hour hasn't gone by yet
Warning("Can't generate auth hash until we are logged in"); $time = localtime();
$authKey = '';
if ( $useRemoteAddr ) {
$authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5];
} else { } else {
# Don't both regenerating Auth Hash if an hour hasn't gone by yet $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5];
$time = localtime(); }
if ( $useRemoteAddr ) { $auth = md5( $authKey );
$authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; if ( session_status() == PHP_SESSION_NONE ) {
} else { Warning("Session is not active. AuthHash will not be cached.");
$authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; }
} $_SESSION['AuthHash'] = $auth;
$auth = md5( $authKey ); $_SESSION['AuthHashGeneratedAt'] = time();
if ( session_status() == PHP_SESSION_NONE ) { } else {
Warning("Session is not active. AuthHash will not be cached."); Debug( "Using cached auth " . $_SESSION['AuthHash'] );
}
$_SESSION['AuthHash'] = $auth;
$_SESSION['AuthHashGeneratedAt'] = time();
} # end if we are logged in yet or not
} # end if AuthHash is not cached } # end if AuthHash is not cached
return $_SESSION['AuthHash']; return $_SESSION['AuthHash'];
} else { } else {
$auth = ""; $auth = '';
} }
return( $auth ); return( $auth );
} }