source: temp/test-xoops.ec-cube.net/html/class/token.php @ 405

Revision 405, 10.5 KB checked in by root, 20 years ago (diff)
Line 
1<?php
2// $Id: token.php,v 1.1.2.8.2.1 2005/06/11 02:50:10 onokazu Exp $
3
4define ( 'XOOPS_TOKEN_TIMEOUT', 0 );
5define ( 'XOOPS_TOKEN_PREFIX', "XOOPS_TOKEN_" );
6
7if(!defined('XOOPS_SALT'))
8    define('XOOPS_SALT',substr(md5(XOOPS_DB_PREFIX.XOOPS_DB_USER.XOOPS_ROOT_PATH),5,8));
9
10define ( 'XOOPS_TOKEN_SESSION_STRING', "X2_TOKEN");
11define ( 'XOOPS_TOKEN_MULTI_SESSION_STRING', "X2_MULTI_TOKEN");
12
13define('XOOPS_TOKEN_DEFAULT', 'XOOPS_TOKEN_DEFAULT');
14
15/**
16 * This class express token. this has name, token's string for inquiry,
17 * lifetime, serial number. this does not have direct validation method,
18 * therefore this does not depend on $_Session and $_Request.
19 *
20 * You can refer to a handler class for this token. this token class
21 * means ticket, and handler class means ticket agent. there is a strict
22 * ticket agent type(XoopsSingleTokenHandler), and flexible ticket agent
23 * for the tab browser(XoopsMultiTokenHandler).
24 */
25class XoopsToken
26{
27    /**
28     * token's name. this is used for identification.
29     * @access protected
30     */
31    var $_name_;
32
33    /**
34     * token's string for inquiry. this should be a random code for security.
35     * @access private
36     */
37    var $_token_;
38
39    /**
40     * the unixtime when this token is effective.
41     *
42     * @access protected
43     */
44    var $_lifetime_;
45
46    /**
47     * unlimited flag. if this is true, this token is not limited in lifetime.
48     */
49    var $_unlimited_;
50
51    /**
52     * serial number. this used for identification of tokens of same name tokens.
53     *
54     * @access private
55     */
56    var $_number_=0;
57
58    /**
59     * @param   $name   this token's name string.
60     * @param   $timeout    effective time(if $timeout equal 0, this token will become unlimited)
61     */
62    function XoopsToken($name, $timeout = XOOPS_TOKEN_TIMEOUT)
63    {
64        $this->_name_ = $name;
65
66        if($timeout) {
67            $this->_lifetime_ = time() + $timeout;
68            $this->_unlimited_ = false;
69        }
70        else {
71            $this->_lifetime_ = 0;
72            $this->_unlimited_ = true;
73        }
74
75        $this->_token_ = $this->_generateToken();
76    }
77
78
79    /**
80     * Returns random string for token's string.
81     *
82     * @access protected
83     * @return string
84     */
85    function _generateToken()
86    {
87        srand(microtime()*100000);
88        return md5(XOOPS_SALT.$this->_name_.uniqid(rand(),true));
89    }
90
91    /**
92     * Returns this token's name.
93     *
94     * @access public
95     * @return string
96     */
97    function getTokenName()
98    {
99        return XOOPS_TOKEN_PREFIX.$this->_name_."_".$this->_number_;
100    }
101
102    /**
103     * Returns this token's string.
104     *
105     * @access public
106     * @return  string
107     */
108    function getTokenValue()
109    {
110        return $this->_token_;
111    }
112
113    /**
114     * Set this token's serial number.
115     *
116     * @access public
117     * @param   $serial_number  serial number
118     */
119    function setSerialNumber($serial_number)
120    {
121        $this->_number_ = $serial_number;
122    }
123
124    /**
125     * Returns this token's serial number.
126     *
127     * @access public
128     * @return  int
129     */
130    function getSerialNumber()
131    {
132        return $this->_number_;
133    }
134
135    /**
136     * Returns hidden tag string that includes this token. you can use it
137     * for <form> tag's member.
138     *
139     * @access public
140     * @return  string
141     */
142    function getHtml()
143    {
144        return @sprintf('<input type="hidden" name="%s" value="%s" />',$this->getTokenName(),$this->getTokenValue());
145    }
146
147    /**
148     * Returns url string that includes this token. you can use it for
149     * hyper link.
150     *
151     * @return  string
152     */
153    function getUrl()
154    {
155        return $this->getTokenName()."=".$this->getTokenValue();
156    }
157
158    /**
159     * If $token equals this token's string, true is returened.
160     *
161     * @return  bool
162    */
163    function validate($token=null)
164    {
165        return ($this->_token_==$token && ( $this->_unlimited_ || time()<=$this->_lifetime_));
166    }
167}
168
169/**
170 * This class express ticket agent and ticket collector. this publishes
171 * token, keeps a token to server to check it later(next request).
172 *
173 * You can create various agents by extending the derivative class. see
174 * default(sample) classes.
175 */
176class XoopsTokenHandler
177{
178    /**
179     * @access private
180     */
181    var $_prefix ="";
182
183
184    /**
185     * Create XoopsToken instance, regist(keep to server), and returns it.
186     *
187     * @access public
188     * @param   $name   this token's name string.
189     * @param   $timeout    effective time(if $timeout equal 0, this token will become unlimited)
190     */
191    function &create($name,$timeout = XOOPS_TOKEN_TIMEOUT)
192    {
193        $token =& new XoopsToken($name,$timeout);
194        $this->register($token);
195        return $token;
196    }
197
198    /**
199     * Fetches from server side, and returns it.
200     *
201     * @access public
202     * @param   $name   token's name string.
203     * @return XoopsToken
204     */
205    function &fetch($name)
206    {
207        $ret = null;
208        if(isset($_SESSION[XOOPS_TOKEN_SESSION_STRING][$this->_prefix.$name])) {
209            $ret =& $_SESSION[XOOPS_TOKEN_SESSION_STRING][$this->_prefix.$name];
210        }
211        return $ret;
212    }
213
214    /**
215     * Register token to session.
216     */
217    function register(&$token)
218    {
219        $_SESSION[XOOPS_TOKEN_SESSION_STRING][$this->_prefix.$token->_name_] = $token;
220    }
221
222    /**
223     * Unregister token to session.
224     */
225    function unregister(&$token)
226    {
227        unset($_SESSION[XOOPS_TOKEN_SESSION_STRING][$this->_prefix.$token->_name_]);
228    }
229
230    /**
231     * If a token of the name that equal $name is registered on session,
232     * this method will return true.
233     *
234     * @access  public
235     * @param   $name   token's name string.
236     * @return  bool
237     */
238    function isRegistered($name)
239    {
240        return isset($_SESSION[XOOPS_TOKEN_SESSION_STRING][$this->_prefix.$name]);
241    }
242
243    /**
244     * This method takes out token's string from Request, and validate
245     * token with it. if it passed validation, this method will return true.
246     *
247     * @access  public
248     * @param   $token  XoopsToken
249     * @param   $clearIfValid   If token passed validation, $token will be unregistered.
250     * @return  bool
251     */
252    function validate(&$token,$clearIfValid)
253    {
254        $req_token = isset($_REQUEST[ $token->getTokenName() ]) ?
255                trim($_REQUEST[ $token->getTokenName() ]) : null;
256
257        if($req_token) {
258            if($token->validate($req_token)) {
259                if($clearIfValid)
260                    $this->unregister($token);
261                return true;
262            }
263        }
264        return false;
265    }
266}
267
268class XoopsSingleTokenHandler extends XoopsTokenHandler
269{
270    function autoValidate($name,$clearIfValid=true)
271    {
272        if($token =& $this->fetch($name)) {
273            return $this->validate($token,$clearIfValid);
274        }
275        return false;
276    }
277
278    /**
279     * static method.
280     * This method was created for quick protection of default modules.
281     * this method will be deleted in the near future.
282     * @deprecated
283     * @return bool
284    */
285    function &quickCreate($name,$timeout = XOOPS_TOKEN_TIMEOUT)
286    {
287        $handler =& new XoopsSingleTokenHandler();
288        $ret =& $handler->create($name,$timeout);
289        return $ret;
290    }
291
292    /**
293     * static method.
294     * This method was created for quick protection of default modules.
295     * this method will be deleted in the near future.
296     * @deprecated
297     * @return bool
298    */
299    function quickValidate($name,$clearIfValid=true)
300    {
301        $handler = new XoopsSingleTokenHandler();
302        return $handler->autoValidate($name,$clearIfValid);
303    }
304}
305
306/**
307 * This class publish a token of the different same name of a serial number
308 * for the tab browser.
309 */
310class XoopsMultiTokenHandler extends XoopsTokenHandler
311{
312    function &create($name,$timeout=XOOPS_TOKEN_TIMEOUT)
313    {
314        $token =& new XoopsToken($name,$timeout);
315        $token->setSerialNumber($this->getUniqueSerial($name));
316        $this->register($token);
317        return $token;
318    }
319
320    function &fetch($name,$serial_number)
321    {
322        $ret = null;
323        if(isset($_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$this->_prefix.$name][$serial_number])) {
324            $ret =& $_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$this->_prefix.$name][$serial_number];
325        }
326        return $ret;
327    }
328
329    function register(&$token)
330    {
331        $_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$this->_prefix.$token->_name_][$token->getSerialNumber()] = $token;
332    }
333
334    function unregister(&$token)
335    {
336        unset($_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$this->_prefix.$token->_name_][$token->getSerialNumber()]);
337    }
338
339    function isRegistered($name,$serial_number)
340    {
341        return isset($_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$this->_prefix.$name][$serial_number]);
342    }
343
344    function autoValidate($name,$clearIfValid=true)
345    {
346        $serial_number = $this->getRequestNumber($name);
347        if($serial_number!==null) {
348            if($token =& $this->fetch($name,$serial_number)) {
349                return $this->validate($token,$clearIfValid);
350            }
351        }
352        return false;
353    }
354
355    /**
356     * static method.
357     * This method was created for quick protection of default modules.
358     * this method will be deleted in the near future.
359     * @deprecated
360     * @return bool
361    */
362    function &quickCreate($name,$timeout = XOOPS_TOKEN_TIMEOUT)
363    {
364        $handler =& new XoopsMultiTokenHandler();
365        $ret =& $handler->create($name,$timeout);
366        return $ret;
367    }
368
369    /**
370     * static method.
371     * This method was created for quick protection of default modules.
372     * this method will be deleted in the near future.
373     * @deprecated
374     * @return bool
375    */
376    function quickValidate($name,$clearIfValid=true)
377    {
378        $handler = new XoopsMultiTokenHandler();
379        return $handler->autoValidate($name,$clearIfValid);
380    }
381
382    /**
383     * @param   $name   string
384     * @return  int
385     */
386    function getRequestNumber($name)
387    {
388        $str = XOOPS_TOKEN_PREFIX.$name."_";
389        foreach($_REQUEST as $key=>$val) {
390            if(preg_match("/".$str."(\d+)/",$key,$match))
391                return intval($match[1]);
392        }
393
394        return null;
395    }
396
397    function getUniqueSerial($name)
398    {
399        if(isset($_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$name])) {
400            if(is_array($_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$name])) {
401                for($i=0;isset($_SESSION[XOOPS_TOKEN_MULTI_SESSION_STRING][$name][$i]);$i++);
402                return $i;
403            }
404        }
405
406        return 0;
407    }
408}
409?>
Note: See TracBrowser for help on using the repository browser.