From 9e680b80e0c22ce76b6314741e05f1bcb0deb4f9 Mon Sep 17 00:00:00 2001 From: Matthias Benkard Date: Thu, 14 Aug 2014 09:38:28 +0200 Subject: Make stateless. MulkyID does not use session state stored in /tmp anymore. Instead, it uses a cookie encrypted with the private part of the MulkyID instance's RSA key. --- www/logged_in_p.pl | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'www/logged_in_p.pl') diff --git a/www/logged_in_p.pl b/www/logged_in_p.pl index 73c9d1c..b076618 100755 --- a/www/logged_in_p.pl +++ b/www/logged_in_p.pl @@ -10,6 +10,8 @@ use JSON; use File::Slurp; +use Crypt::OpenSSL::RSA; + use CGI; use CGI::Fast; use CGI::Session; @@ -18,24 +20,32 @@ do "common.pl"; while (my $cgi = new CGI::Fast) { + $::MULKONF = {}; # to silence a warning load_config(); print $cgi->header(-content_type => 'application/json; charset=UTF-8'); - my $cookie = $cgi->cookie('mulkid_session'); + my $cookie = $cgi->cookie('mulkyid_session'); + unless ($cookie) { say encode_json({logged_in_p => 0}); exit(0); } - my $session = new CGI::Session("driver:File", $cookie, {Directory=>"/tmp"}); - unless ($session) { + my $key = Crypt::OpenSSL::RSA->new_private_key(scalar read_file($::MULKONF->{pemfile})); + $key->use_pkcs1_padding(); + $key->use_sha256_hash(); + + my $reverse_encrypted_user_session = decode_base64_url($cookie); + my $plain_user_session = $key->public_decrypt($reverse_encrypted_user_session); + my ($session_user, $timestamp) = split /#/, $plain_user_session; + + if ($timestamp < time - 24*3600) { say encode_json({logged_in_p => 0}); exit(0); } - my $email = $cgi->param('email') or die "No email address supplied"; - my $session_user = $session->param('user'); + my $email = $cgi->param('email') or die "No email address supplied"; if (any(email_users($email)) eq $session_user) { say encode_json({logged_in_p => 1}); } else { -- cgit v1.2.3