[mms] Add nonce generation/checking to Horde_Session.

horde · Nov 4, 2013 · 1377d0c · 1377d0c
1 parent 4c37be8
commit 1377d0c
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/framework/Core/lib/Horde/Session.php b/framework/Core/lib/Horde/Session.php
@@ -46,6 +46,7 @@ class Horde_Session
     const NOT_SERIALIZED = 0;
     const IS_SERIALIZED = 1;
 
+    const NONCE_ID = 'session_nonce'; /* @since 2.11.0 */
     const TOKEN_ID = 'session_token';
 
     /**
@@ -538,6 +539,46 @@ public function checkToken($token)
         }
     }
 
+    /* Session nonces. */
+
+    /**
+     * Returns a single-use, session nonce.
+     *
+     * @since 2.11.0
+     *
+     * @return string  Session nonce.
+     */
+    public function getNonce()
+    {
+        $id = strval(new Horde_Support_Randomid());
+
+        $nonces = $this->get('horde', self::NONCE_ID, self::TYPE_ARRAY);
+        $nonces[] = $id;
+        $this->set('horde', self::NONCE_ID, array_values($nonces));
+
+        return $id;
+    }
+
+    /**
+     * Checks the validity of the session nonce.
+     *
+     * @since 2.11.0
+     *
+     * @param string $nonce  Nonce to check.
+     *
+     * @throws Horde_Exception
+     */
+    public function checkNonce($nonce)
+    {
+        $nonces = $this->get('horde', self::NONCE_ID, self::TYPE_ARRAY);
+        if (($pos = array_search($nonce, $nonces)) === false) {
+            throw new Horde_Exception('Invalid token!');
+        }
+        unset($nonces[$pos]);
+        $this->set('horde', self::NONCE_ID, array_values($nonces));
+    }
+
+
     /* Session object storage. */
 
     /**

diff --git a/framework/Core/package.xml b/framework/Core/package.xml
@@ -39,6 +39,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
  <notes>
+* [mms] Add nonce generation/checking to Horde_Session.
 * [mms] Application hook methods moved from Horde:: to Horde_Core_Hooks::.
 * [mms] Add &apos;fallback&apos; option for the Horde_Registry#appInit() &apos;authentication&apos; parameter.
 * [mms] Fix deauthenticating when a system-level logout event occurs.
@@ -3226,6 +3227,7 @@
    <date>2013-10-29</date>
    <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
    <notes>
+* [mms] Add nonce generation/checking to Horde_Session.
 * [mms] Application hook methods moved from Horde:: to Horde_Core_Hooks::.
 * [mms] Add &apos;fallback&apos; option for the Horde_Registry#appInit() &apos;authentication&apos; parameter.
 * [mms] Fix deauthenticating when a system-level logout event occurs.