ad_sign (public)

 ad_sign [ -secret secret ] [ -token_id token_id ] [ -max_age max_age ] \
    [ -binding binding ] value

Defined in packages/acs-tcl/tcl/security-procs.tcl

Returns a digital signature of the value. Negative token_ids are reserved for secrets external to the ACS digital signature mechanism. If a token_id is specified, a secret must also be specified.

allows the caller to specify a known secret external to the random secret management mechanism.
allows the caller to specify a token_id which is then ignored so don't use it.
specifies the length of time the signature is valid in seconds. The default is forever.
(defaults to "0") (optional)
allows the caller to bind a signature to a user/session. A value of 0 (default) means no additional binding. When the value is "-1" only the user who created the signature can obtain the value again. When the value is "-2" only the user with the same csrf token can obtain the value again. The permissible values might be extended in the future.
value - the value to be signed.

Partial Call Graph (max 5 caller/called nodes):
%3 test_auth_password_recover auth_password_recover (test acs-authentication) ad_sign ad_sign test_auth_password_recover->ad_sign test_sync_http_get_document sync_http_get_document (test acs-authentication) test_sync_http_get_document->ad_sign ad_conn ad_conn (public) ad_sign->ad_conn sec_get_random_cached_token_id sec_get_random_cached_token_id (public) ad_sign->sec_get_random_cached_token_id sec_get_token sec_get_token (public) ad_sign->sec_get_token security::csrf::new security::csrf::new (public) ad_sign->security::csrf::new acs_mail_lite::unique_id_create acs_mail_lite::unique_id_create (private) acs_mail_lite::unique_id_create->ad_sign ad_form ad_form (public) ad_form->ad_sign ad_set_signed_cookie ad_set_signed_cookie (public) ad_set_signed_cookie->ad_sign export_vars_sign export_vars_sign (private) export_vars_sign->ad_sign security::parameter::signed security::parameter::signed (public) security::parameter::signed->ad_sign

auth_password_recover, sync_http_get_document
Source code:
    if {$token_id eq ""} {
        # pick a random token_id
        set token_id [sec_get_random_cached_token_id]

    if { $secret eq "" } {
        set secret_token [sec_get_token $token_id]
    } else {
        set secret_token $secret

    ns_log Debug "Security: Getting token_id $token_id, value $secret_token"

    if { $max_age eq "" } {
        set expire_time 0
    } else {
        set expire_time [expr {$max_age + [ns_time]}]

    switch $binding {
        -1 {
            set binding_value [ad_conn user_id]
            append token_id :$binding
        -2 {
            set binding_value [::security::csrf::new]
            append token_id :$binding
        0 {
            set binding_value ""
        default {error "invalid binding"}

    set hash [ns_sha1 "$value$token_id$expire_time$secret_token$binding_value"]
    set signature [list $token_id $expire_time $hash]

    return $signature
Generic XQL file:

PostgreSQL XQL file:

Oracle XQL file:

[ hide source ] | [ make this the default ]
Show another procedure: