ad_sign (public)

 ad_sign [ -secret secret ] [ -token_id token_id ] [ -max_age max_age ] \
    [ -binding binding ] value

Defined in packages/acs-tcl/tcl/security-procs.tcl

Returns a digital signature of the value. Negative token_ids are reserved for secrets external to the ACS digital signature mechanism. If a token_id is specified, a secret must also be specified.

-secret (optional)
allows the caller to specify a known secret external to the random secret management mechanism.
-token_id (optional)
allows the caller to specify a token_id which is then ignored so don't use it.
-max_age (optional)
specifies the length of time the signature is valid in seconds. The default is forever.
-binding (defaults to "0") (optional)
allows the caller to bind a signature to a user/session. A value of 0 (default) means no additional binding. When the value is "-1" only the user who created the signature can obtain the value again. When the value is "-2" only the user with the same csrf token can obtain the value again. The permissible values might be extended in the future.
value - the value to be signed.

Partial Call Graph (max 5 caller/called nodes):
%3 test_auth_password_recover auth_password_recover (test acs-authentication) ad_sign ad_sign test_auth_password_recover->ad_sign test_sync_http_get_document sync_http_get_document (test acs-authentication) test_sync_http_get_document->ad_sign acs_mail_lite::unique_id_create acs_mail_lite::unique_id_create (private) acs_mail_lite::unique_id_create->ad_sign ad_form ad_form (public) ad_form->ad_sign ad_set_signed_cookie ad_set_signed_cookie (public) ad_set_signed_cookie->ad_sign export_vars_sign export_vars_sign (private) export_vars_sign->ad_sign template::element::create template::element::create (public) template::element::create->ad_sign

auth_password_recover, sync_http_get_document
Source code:
    if {$token_id eq ""} {
        # pick a random token_id
        set token_id [sec_get_random_cached_token_id]

    if { $secret eq "" } {
        set secret_token [sec_get_token $token_id]
    } else {
        set secret_token $secret

    ns_log Debug "Security: Getting token_id $token_id, value $secret_token"

    if { $max_age eq "" } {
        set expire_time 0
    } else {
        set expire_time [expr {$max_age + [ns_time]}]

    switch $binding {
        -1 {
            set binding_value [ad_conn user_id]
            append token_id :$binding
        -2 {
            set binding_value [::security::csrf::new]
            append token_id :$binding
        0 {
            set binding_value ""
        default {error "invalid binding"}

    set hash [ns_sha1 "$value$token_id$expire_time$secret_token$binding_value"]
    set signature [list $token_id $expire_time $hash]

    return $signature
Generic XQL file:

PostgreSQL XQL file:

Oracle XQL file:

[ hide source ] | [ make this the default ]
Show another procedure: