Can someone explain how the author_token session variable works? The comments in the code merely say "Check author token to insure session not hijacked". We're trying to implement a new authentication scheme which requires an intermediate login page, and it seems Serendipity is creating a session, then destroying it because of the author_token value.
So a little general theory on how it's supposed to work would be very helpful!
Charles Hall
author_token?
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: author_token?
Hi!
Sure, even though the description sounds more secure than what i actually prevents.
author_token is set once as a cookie in the browser of the user, as well as inside a session variable on the server. It needs to have the same value so that when someone (man in the middle) is able to get the user's cookie, it will be invalidated if it does not match the same hash that is stored on the server in the session.
This assumes that session IDs are propagated not in the cookie but by some other means (s9y uses default PHP session handling, so you could overwrite it to use different session id handling schemes). If the session id is in the same cookie than the author_token it doesn't really help.
So in your case you should simply issue a author_token cookie value AND a session variable with the same content on your own authentication scheme, and it shouldn't interfer.
HTH,
Garvin
Sure, even though the description sounds more secure than what i actually prevents.
author_token is set once as a cookie in the browser of the user, as well as inside a session variable on the server. It needs to have the same value so that when someone (man in the middle) is able to get the user's cookie, it will be invalidated if it does not match the same hash that is stored on the server in the session.
This assumes that session IDs are propagated not in the cookie but by some other means (s9y uses default PHP session handling, so you could overwrite it to use different session id handling schemes). If the session id is in the same cookie than the author_token it doesn't really help.
So in your case you should simply issue a author_token cookie value AND a session variable with the same content on your own authentication scheme, and it shouldn't interfer.
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/