to hand off to other web pages, or even other sites
class authticket {
var $secret = "setme"; // you WILL want to change this
var $realm = ""; // the realm of this identity
var $lifetime = 2 * 60 *60; // tickets good for 2 hours
var $authenticated = 0; // the data here is valid iff non-zero
var $identity; // the remote identity, if decoded correctly
var $issue; // the time the ticket was issued
var $remote_addr; // the remote address of the client
var $hash; // the hash value. Probably of little use.
var $autherr; // if verification faild, this contains why
//
// helper function which just zeros out the ticket data
//
function zerodata()
{
$this->authenticated = 0;
$this->identity = "";
$this->issue = 0;
$this->remote_addr = "";
$this->hash = "";
$this->autherr = "";
}
//
// Take a string ($identity) and a time ($time) and the internal
// secret value, and generate a string that can be used to verify
// that the remote user is known to us. The result of this function
// is a single string, that can be passed along in a hidden form
// or even a cookie.
//
// If ($time) is 0, the current time is used instead.
//
// ($identity) _cannot_ contain a ``:'' character. If you need
// one in there, you will have to change it to some sort of escape
// sequence.
//
// Some care should be used. I recommend using this only over SSL,
// unless the actual ticket contents are encrypted using something
// stronger than XOR.
//
function makeauth($identity, $time)
{
global $REMOTE_ADDR;
$this->zerodata();
if ($time == 0)
$time = time();
$ticket_items[] = (string)$time;
$ticket_items[] = $this->realm;
$ticket_items[] = $REMOTE_ADDR;
$ticket_items[] = $identity;
$ticket = implode($ticket_items, ":");
$hash = md5($this->secret . $ticket);
$ticket = $hash . ':' . $ticket;
$this->identity = $identity;
$this->issue = $time;
$this->remote_addr = $REMOTE_ADDR;
$this->hash = $hash;
$this->authenticated = 1; /* data is valid */
$this->autherr = "";
return $ticket;
}
//
// Take a ($ticket) string generated by makeauth(), and a ($time),
// and verify that the ticket is valid and not expired.
//
// If ($time) is 0, the current time will be used.
//
// On error, the function returns the empty string "",
// $authenticated is 0, and $autherr contains the reason
// the authentication failed.
//
// On success, the identity encoded in the ticket is returned,
// $authenticated is non-zero, and $autherr is to be ignored.
//
function checkauth($ticket, $time)
{
global $REMOTE_ADDR;
$this->zerodata();
if ($time == 0)
$time = time();
/*
* Item order: hash time realm remote_addr identity
*/
$ticket_items = explode( ":", $ticket);
/*
* if the remote address doesn't match the one in the ticket,
* drop them.
*/
if ($ticket_items[3] != $REMOTE_ADDR) {
$this->autherr = "Address mismatch";
return "";
}
//
// if we are supposed to check for expired tickets, do that
// here.
//
if ($this->lifetime != 0)
if ($time > (int)$ticket_items[1] + $this->lifetime) {
$this->autherr = "Ticket expired";
return "";
}
//
// make certain that the ticket is not being used before
// it was issued.
//
if ($time < (int)$ticket_items[1]) {
$this->autherr = "Ticket used before issued";
return "";
}
//
// verify that the realms match
//
if ($this->realm != $ticket_items[2]) {
$this->autherr = "Realm mismatch";
return "";
}
//
// This could be done better... Reassemble the components
// of the ticket passed to us, and rehash. Compare this
// to the hash we were sent.
//
$tmp_items[] = $ticket_items[1];
$tmp_items[] = $ticket_items[2];
$tmp_items[] = $ticket_items[3];
$tmp_items[] = $ticket_items[4];
$tmp_ticket = implode($tmp_items, ":");
$hash = md5($this->secret . $tmp_ticket);
if ($hash != $ticket_items[0]) {
$this->autherr = "Integrity check failed";
return "";
}
//
// well, it all checks out. Might as well claim we know
// who this person is.
//
$this->hash = $hash;
$this->issue = $ticket_items[1];
$this->remote_addr = $ticket_items[3];
$this->identity = $ticket_items[4];
$this->authenticated = 1;
return $this->identity;
}
};
?>