sec_login_handler (public)
sec_login_handler
Defined in packages/acs-tcl/tcl/security-procs.tcl
If a login cookie exists, it is checked for expiration (depending on LoginTimeout) and the account status is validated. In every case, the session info including [ad_conn] and the session cookie is updated accordingly. Modified ad_conn variables: untrusted_user_id, session_id, auth_level, account_status, and user_id.
- Partial Call Graph (max 5 caller/called nodes):
- Testcases:
- No testcase defined.
Source code: ns_log debug "OACS= sec_login_handler: enter" set auth_level none set new_user_id 0 set untrusted_user_id 0 set account_status closed # # Check login cookie. # set login_info [sec_login_read_cookie] if {[dict get $login_info status] eq "OK"} { set untrusted_user_id [dict get $login_info user_id] set auth_level expired # # Check conformancy of the auth_token between cookie and # database depending on LoginTimeout: When LoginTimeout is 0, # check the auth token always. Otherwise, when check the # auth_token, when it LoginTimeout has expired. # set sec_login_timeout [sec_login_timeout] if { $sec_login_timeout == 0 || [ns_time] - [dict get $login_info issue_time] < $sec_login_timeout } { # # Check auth_token. # if {[dict get $login_info auth_token] eq [sec_get_user_auth_token $untrusted_user_id]} { # # Check whether we retrieved the login cookie over # HTTPS. If so, we're secure. # if { [security::secure_conn_p] || [ad_conn behind_secure_proxy_p]} { set auth_level secure } else { set auth_level ok } # # In case there is no session_id, do not trust the # provided cookie, since it might be stolen. In # general, session cookies are recreated on the fly # for the current user, but we do not want this in # cases, when we have already a "valid" login cookie. # if {[ad_conn session_id] eq ""} { ns_log warning "downgrade auth_level of user $untrusted_user_id since session_id invalid" set auth_level expired } } else { ::security::log login_cookie "sec_login_handler auth_token has changed" ns_log notice "OACS= auth_token has changed" } } # # Check in addition to the auth_token also the account status. # set account_status [auth::get_local_account_status -user_id $untrusted_user_id] if {$account_status eq "no_account"} { set untrusted_user_id 0 set auth_level none set account_status "closed" } } sec_setup_session $untrusted_user_id $auth_level $account_statusGeneric XQL file: packages/acs-tcl/tcl/security-procs.xql
PostgreSQL XQL file: packages/acs-tcl/tcl/security-procs-postgresql.xql
Oracle XQL file: packages/acs-tcl/tcl/security-procs-oracle.xql