Skip to content

Create and use a 'state' FILE instead of $_SESSION in SendOauth2D

Choose a tag to compare

View all tags
@decomplexity decomplexity released this 24 Mar 20:34
· 78 commits to main since this release
v1.0.6
9f9db3a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

A 'nonce' state token is used between the first and second passes of SendOauth2D to pre-empt a CSRF vulnerability.
But an intermittent 'invalid state' was occurring on first pass of SendOauth2D where $state set does not agree with that stored in $_SESSION. It appeared that session_id() was responding empty even though browser had a suitable PHPSESSID cookie. A session_write_close() was added just before the first pass ended with a call to provider's authentication to try to prevent a possible race condition occurring (SendOauth2D - via SendOauthD-invoke - is re-entrant). But this was not always effective when the browser had multiple tabs open, so instead of using a 'state' set in $_SESSION, SendOauth2D now writes the state to a local file on the first pass, reads it on the re-entrant pass and then deletes the file.

Assets 2
Loading