ad_validate_security_info

ad_validate_security_info { -secure f }

Validates the security info for the current connection, including session and user ID. If -secure t is specified, requires that the security info be secure to be considered valid.

Source code:

arg_parser_for_ad_validate_security_info $args

    
    global ad_conn
     
    if { $ad_conn(sec_validated) == "secure" || ( $secure == "f" && $ad_conn(sec_validated) == "insecure" ) } {
	return 1
    }

    set security_info [util_memoize "sec_get_session_info $ad_conn(session_id)"  [ad_parameter "SessionInfoCacheInterval" "" 600]]
    if { $security_info == "" } {
	set db [ns_db gethandle log]
	ad_assign_session_id $db
	ns_db releasehandle $db
	set security_info [util_memoize "sec_get_session_info $ad_conn(session_id)"  [ad_parameter "SessionInfoCacheInterval" "" 600]]
    }

    set user_id [lindex $security_info 0]
    set token [lindex $security_info 1]
    set secure_token [lindex $security_info 2]
    set last_ip [lindex $security_info 3]
    set last_hit [lindex $security_info 4]

    if { $user_id == "" } {
	set user_id 0
    }

    # We don't compare $last_ip, since some proxies rotate IP addresses. Thanks to lars@pinds.com.

    if { $last_hit + [sec_session_timeout] < [ns_time] || $user_id != $ad_conn(user_id) } {
	# Timeout. Fail, and clear the session ID cookie.
	sec_log "Timed out: clearing session ID cookie"
	sec_clear_session_id_cookie
	return 0
    }

    if { [string compare $token $ad_conn(token)] } {
	# The insecure token doesn't match. Fail, and clear the session ID cookie.
	sec_clear_session_id_cookie
	return 0
    }

    if { $secure == "f" } {
	# Passed with flying colors (for insecure validation).
	set ad_conn(sec_validated) "insecure"
    } else {
	if { ![ad_secure_conn_p] } {
	    # An insecure connection can't be securely validated.
	    return 0
	}

	if { [empty_string_p $secure_token] } {
	    # Secure token not yet assigned. Generate it; also regenerate insecure token.

	    set ad_conn(token) [sec_random_token]
	    set secure_token [sec_random_token]

	    set db [ns_db gethandle log]
	    ns_db dml $db "
                update sec_sessions
                set token = '$ad_conn(token)', secure_token = '$secure_token'
                where session_id = $ad_conn(session_id)
	    "
	    ns_db releasehandle $db
	    util_memoize_seed "sec_get_session_info $ad_conn(session_id)" [list $user_id $ad_conn(token) $secure_token $last_ip $last_hit]

	    sec_generate_session_id_cookie
	    sec_generate_secure_token_cookie $secure_token
	} elseif { [string compare [ns_urldecode [ad_get_cookie "ad_secure_token"]] $secure_token] } {
	    # Secure token doesn't match. Nice try, sucka.
	    sec_clear_session_id_cookie
	    return 0
	}
	set ad_conn(sec_validated) "secure"
    }
    return 1