Forum OpenACS Q&A: Re: New mini-package: auth-hash

Collapse
Posted by Andrew Grumet on
Here's some sample php that implements the remote services for a case where we didn't need to map individual user id's. This implementation uses the filesystem for persistent storage, saving the random string as the filename. The timestamp is the file's mtime. The user id could be echoed into the file instead of simply touching it.

login.php (redirects user)

<?
$code = md5($_SERVER['REMOTE_ADDR'] . mt_rand(0,100000000));
touch("codes/$code");
if ($_REQUEST['service'] != '') {
  $service = $_REQUEST['service'];
} else {
  $service = "http://oacs.url/remote-login";
}
$location = $service . "?code=$code";
if ($_REQUEST['return_url'] != '') {
  $location .= "&return_url=" . urlencode($_REQUEST['return_url']);
}
header("Location: $location");
exit;
?>
login-verify.php (backend verifier)
<?
$code = $_GET['code'];
if (strlen($code) != 32) {
  echo "Fail";
  exit;
}
$path = path_to_codes_directory/$code";
if (!file_exists($path)) {
  echo "Fail";
  exit;
} else {
  echo "Ok";
  unlink($path);
}
?>
The login.php page should only be reachable by logged-in users. The location of the login-verify.php page should be secret and, ideally, only reachable by OACS.