Revision 1457
Added by Dietmar almost 13 years ago
SecureForm.php | ||
---|---|---|
37 | 37 |
$this->_salt = $this->_generate_salt(); |
38 | 38 |
$this->_fingerprint = $this->_generate_fingerprint(); |
39 | 39 |
// generate names for session variables |
40 |
$this->_ftan_name = substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16); |
|
40 |
$this->_ftan_name = |
|
41 |
substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16); |
|
41 | 42 |
// make sure there is a alpha-letter at first position |
42 |
$this->_ftan_name[0] = dechex(10 + (hexdec($this->_ftan_name[0]) % 5));
|
|
43 |
$this->_idkey_name = substr($this->_fingerprint,
|
|
44 |
hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16);
|
|
43 |
$this->_ftan_name = $this->_makeFirst2Letter($this->_ftan_name);
|
|
44 |
$this->_idkey_name = |
|
45 |
substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16);
|
|
45 | 46 |
// make sure there is a alpha-letter at first position |
46 |
$this->_idkey_name[0] = dechex(10 + (hexdec($this->_idkey_name[0]) % 5));
|
|
47 |
$this->_idkey_name = $this->_makeFirst2Letter($this->_idkey_name);
|
|
47 | 48 |
// takeover id_keys from session if available |
48 | 49 |
if(isset($_SESSION[$this->_idkey_name]) && is_array($_SESSION[$this->_idkey_name])) |
49 | 50 |
{ |
... | ... | |
54 | 55 |
} |
55 | 56 |
} |
56 | 57 |
|
58 |
private function _makeFirst2Letter($string) |
|
59 |
{ |
|
60 |
$string[0] = dechex(10 + (hexdec($string[0]) % 5)); |
|
61 |
return $string; |
|
62 |
} |
|
63 |
|
|
57 | 64 |
private function _generate_salt() |
58 | 65 |
{ |
59 | 66 |
if(function_exists('microtime')) |
... | ... | |
79 | 86 |
$fingerprint .= PHP_VERSION; |
80 | 87 |
// client depending values |
81 | 88 |
$fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '17'; |
82 |
$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? intval(defined('FINGERPRINT_WITH_IP_OCTETS')) : 0;
|
|
89 |
$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? (intval(FINGERPRINT_WITH_IP_OCTETS) % 5) : 2;
|
|
83 | 90 |
$clientIp = ( isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '' ); |
84 | 91 |
if(($clientIp != '') && ($usedOctets > 0)){ |
85 | 92 |
$ip = explode('.', $clientIp); |
... | ... | |
96 | 103 |
{ |
97 | 104 |
$ftan = md5($tanPart . $this->_fingerprint); |
98 | 105 |
$name = substr($ftan, -(16 + hexdec($ftan[0])), 16); |
99 |
$name[0] = dechex(10 + (hexdec($name[0]) % 5));
|
|
106 |
$name = $this->_makeFirst2Letter($name);
|
|
100 | 107 |
$value = substr($ftan, hexdec($ftan[strlen($ftan)-1]), 16); |
101 | 108 |
return array( $name, $value); |
102 | 109 |
} |
103 |
/* |
|
110 |
/**
|
|
104 | 111 |
* creates Formular transactionnumbers for unique use |
105 |
* @access public |
|
106 |
* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) |
|
107 |
* false returns an GET argument 'key=value' |
|
108 |
* @return mixed: array or string |
|
109 | 112 |
* |
113 |
* @return void |
|
110 | 114 |
* requirements: an active session must be available |
111 | 115 |
*/ |
112 |
final public function getFTAN( $as_tag = true)
|
|
116 |
final protected function createFTAN()
|
|
113 | 117 |
{ |
114 | 118 |
if( $this->_FTAN == '') |
115 | 119 |
{ // if no FTAN exists, create new one from time and salt |
116 | 120 |
$this->_FTAN = md5($this->_fingerprint.$this->_salt); |
117 | 121 |
$_SESSION[$this->_ftan_name] = $this->_FTAN; // store FTAN into session |
118 | 122 |
} |
123 |
} |
|
124 |
/* |
|
125 |
* returns the current FTAN |
|
126 |
* @access public |
|
127 |
* @param bool $mode: true or POST returns a complete prepared, hidden HTML-Input-Tag (default) |
|
128 |
* false or GET returns an GET argument 'key=value' |
|
129 |
* @return mixed: array or string |
|
130 |
*/ |
|
131 |
final public function getFTAN( $mode = 'POST') |
|
132 |
{ |
|
119 | 133 |
$ftan = $this->_calcFtan($this->_FTAN); |
120 |
if($as_tag == true)
|
|
134 |
if((is_string($mode) && strtolower($mode) == 'post') || ($mode === true))
|
|
121 | 135 |
{ // by default return a complete, hidden <input>-tag |
122 | 136 |
return '<input type="hidden" name="'.$ftan[0].'" value="'.$ftan[1].'" title="" alt="" />'; |
123 |
}else{ // return an array with raw FTAN0 and FTAN1
|
|
137 |
}else{ // return an string with GET params (FTAN0=FTAN1)
|
|
124 | 138 |
return $ftan[0].'='.$ftan[1]; |
125 | 139 |
} |
126 | 140 |
} |
... | ... | |
137 | 151 |
final public function checkFTAN( $mode = 'POST') |
138 | 152 |
{ |
139 | 153 |
$retval = false; |
140 |
if(isset($_SESSION[$this->_ftan_name]) && |
|
141 |
(strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy')))) |
|
154 |
if(isset($_SESSION[$this->_ftan_name])) |
|
142 | 155 |
{ |
143 |
$ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]); |
|
144 |
unset($_SESSION[$this->_ftan_name]); |
|
145 |
$mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST'); |
|
146 |
if( isset($GLOBALS[$mode][$ftan[0]])) |
|
156 |
if( $_SESSION[$this->_ftan_name] && (strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy')))) |
|
147 | 157 |
{ |
148 |
$retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]); |
|
149 |
unset($GLOBALS[$mode][$ftan[0]]); |
|
158 |
$ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]); |
|
159 |
unset($_SESSION[$this->_ftan_name]); |
|
160 |
$mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST'); |
|
161 |
if( isset($GLOBALS[$mode][$ftan[0]])) |
|
162 |
{ |
|
163 |
$retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]); |
|
164 |
unset($GLOBALS[$mode][$ftan[0]]); |
|
165 |
} |
|
150 | 166 |
} |
151 | 167 |
} |
152 | 168 |
return $retval; |
... | ... | |
211 | 227 |
default: |
212 | 228 |
$key = $fieldname; |
213 | 229 |
} |
230 |
|
|
214 | 231 |
if( preg_match('/[0-9a-f]{16}$/', $key) ) |
215 | 232 |
{ // key must be a 16-digit hexvalue |
216 | 233 |
if( array_key_exists($key, $this->_IDKEYs)) |
Also available in: Unified diff
Preparing 2.8.2 stable, last tests