ad_validate_security_info { -secure f }What it does:
Validates the security info for the current connection, including session and user ID. If -secure t is specified, requires that the security info be secure to be considered valid.Defined in: /web/philip/packages/acs-core/security-procs.tcl
Source code:
arg_parser_for_ad_validate_security_info $args global ad_conn if { $ad_conn(sec_validated) == "secure" || ( $secure == "f" && $ad_conn(sec_validated) == "insecure" ) } { return 1 } set security_info [util_memoize "sec_get_session_info $ad_conn(session_id)" [ad_parameter "SessionInfoCacheInterval" "" 600]] if { $security_info == "" } { set db [ns_db gethandle log] ad_assign_session_id $db ns_db releasehandle $db set security_info [util_memoize "sec_get_session_info $ad_conn(session_id)" [ad_parameter "SessionInfoCacheInterval" "" 600]] } set user_id [lindex $security_info 0] set token [lindex $security_info 1] set secure_token [lindex $security_info 2] set last_ip [lindex $security_info 3] set last_hit [lindex $security_info 4] if { $user_id == "" } { set user_id 0 } # We don't compare $last_ip, since some proxies rotate IP addresses. Thanks to lars@pinds.com. if { $last_hit + [sec_session_timeout] < [ns_time] || $user_id != $ad_conn(user_id) } { # Timeout. Fail, and clear the session ID cookie. sec_log "Timed out: clearing session ID cookie" sec_clear_session_id_cookie return 0 } if { [string compare $token $ad_conn(token)] } { # The insecure token doesn't match. Fail, and clear the session ID cookie. sec_clear_session_id_cookie return 0 } if { $secure == "f" } { # Passed with flying colors (for insecure validation). set ad_conn(sec_validated) "insecure" } else { if { ![ad_secure_conn_p] } { # An insecure connection can't be securely validated. return 0 } if { [empty_string_p $secure_token] } { # Secure token not yet assigned. Generate it; also regenerate insecure token. set ad_conn(token) [sec_random_token] set secure_token [sec_random_token] set db [ns_db gethandle log] ns_db dml $db " update sec_sessions set token = '$ad_conn(token)', secure_token = '$secure_token' where session_id = $ad_conn(session_id) " ns_db releasehandle $db util_memoize_seed "sec_get_session_info $ad_conn(session_id)" [list $user_id $ad_conn(token) $secure_token $last_ip $last_hit] sec_generate_session_id_cookie sec_generate_secure_token_cookie $secure_token } elseif { [string compare [ns_urldecode [ad_get_cookie "ad_secure_token"]] $secure_token] } { # Secure token doesn't match. Nice try, sucka. sec_clear_session_id_cookie return 0 } set ad_conn(sec_validated) "secure" } return 1