Permalink
Browse files

Item14506: Minor rearranging

getTokenCredentials should return a username not a cUID
  • Loading branch information...
gac410 committed Nov 25, 2017
1 parent eddde6d commit 7926502670a548f846abebc53e363c5f21dcf14a
Showing with 15 additions and 10 deletions.
  1. +15 −10 core/lib/Foswiki/LoginManager.pm
@@ -361,8 +361,6 @@ sub loadSession {
my $tokenUser = $this->_getTokenCredentials($session);
if ($tokenUser) {
$tokenUser =
$session->{users}->getLoginName($tokenUser); # Returns a cUID
_trace( $this,
"Replacing current user with $tokenUser from authtoken" );
$this->{_cgisession}->clear('SUDOFROMAUTHUSER');
@@ -467,7 +465,7 @@ $Foswiki::cfg{WorkingDir}/tmp/authtoken_$tokenid
The token credentials are obtained from the file system using Storable.
Note: The cUID contained in the token will be granted access, even if the user is
not known to the Password Manager / Mapper.
not known to the Password Manager / Mapper.
=cut
@@ -496,8 +494,11 @@ sub _getTokenCredentials {
my $expires = $tokenhash->{expires};
if ( !defined $expires || $expires > time() ) {
$authUser = $tokenhash->{cUID};
_trace( $this, "User $authUser accepted from auth token" );
$authUser =
$session->{users}->getLoginName( $tokenhash->{cUID} );
_trace( $this,
"User $authUser (cUID $tokenhash->{cUID}) accepted from auth token"
);
# create new session if necessary
unless ( $this->{_cgisession} ) {
@@ -889,8 +890,12 @@ sub complete {
---++ StaticMethod expireDeadSessions()
Delete sessions and passthrough files that are sitting around but are really expired.
This *assumes* that the sessions are stored as files.
Delete stale sessions, passthrough and tokenauth files that are sitting around but are really expired.
This *assumes* that the sessions are stored as files. It uses the file timestamp
to determine if the session is expired.
The setting ={Sessions}{ExpireAfter}= time as used as a universal expiration time. Typically,
expiration of tokenauth files will be much shorter.
This is a static method, but requires Foswiki::cfg. It is designed to be
run from a session or from a cron job.
@@ -1765,13 +1770,13 @@ As this can be used to bypass password authentication, it is critical that the
token is sent to the user using a highly trusted channel.
Note: The cUID contained in the token will be granted access, even if the user is
not known to the Password Manager / Mapper. The caller of this function should
not known to the Password Manager / Mapper. The caller of this function should
ensure that the user exists before creating the token.
Valid time in minutes, defaults to 15 minutes, as configured in $Foswiki::cfg{Login}{TokenLifetime}
Valid time in minutes, defaults to 15 minutes, as configured in $Foswiki::cfg{Login}{TokenLifetime}
The $sessionVars hash is used to set Session Variables. Options hash currently includes:
$ FOSWIKI_TOPICRESTRICTION => "Web.Topic": Access will be redirected to this topic
$ FOSWIKI_TOPICRESTRICTION => "Web.Topic": Access will be redirected to this topic
When the user accesses the site and presents the authentication token, the data is loaded and
deleted to prevent reuse. Expiration is checked, and if still valid, a new session is established

0 comments on commit 7926502

Please sign in to comment.