def check_auth_cookie(cookie_name):
username, issue_time, cookie_hash = parse_auth_cookie(cookie_name)
check_parsed_auth_cookie(username, issue_time, cookie_hash)
# Check whether or not there is an idle timeout configured, delete cookie and
# require the user to renew the log when the timeout exceeded.
if userdb.login_timed_out(username, issue_time):
del_auth_cookie()
return
# Check whether or not a single user session is allowed at a time and the user
# is doing this request with the currently active session.
if config.single_user_session != None:
session_id = get_session_id_from_cookie(username)
if not userdb.is_valid_user_session(username, session_id):
del_auth_cookie()
return
# Once reached this the cookie is a good one. Renew it!
renew_cookie(cookie_name, username)
if html.myfile != 'user_change_pw':
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(html.makeuri([])), result))
# Return the authenticated username
return username
def check_auth_cookie(cookie_name):
username, issue_time, cookie_hash = html.cookie(cookie_name,
'::').split(':', 2)
# FIXME: Ablauf-Zeit des Cookies testen
#max_cookie_age = 10
#if float(issue_time) < time.time() - max_cookie_age:
# del_auth_cookie()
# return ''
if not userdb.user_exists(username):
raise MKAuthException(_('Username is unknown'))
# Validate the hash
serial = load_serial(username)
if cookie_hash != generate_hash(username, issue_time, serial):
raise MKAuthException(_('Invalid credentials'))
# Once reached this the cookie is a good one. Renew it!
renew_cookie(cookie_name, username, serial)
if html.myfile != 'user_change_pw':
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' %
(html.urlencode(html.makeuri([])), result))
# Return the authenticated username
return username
def check_auth_cookie(cookie_name):
username, issue_time, cookie_hash = html.cookie(cookie_name, '::').split(':', 2)
# FIXME: Ablauf-Zeit des Cookies testen
#max_cookie_age = 10
#if float(issue_time) < time.time() - max_cookie_age:
# del_auth_cookie()
# return ''
if not userdb.user_exists(username):
raise MKAuthException(_('Username is unknown'))
# Validate the hash
serial = load_serial(username)
if cookie_hash != generate_hash(username, issue_time, serial):
raise MKAuthException(_('Invalid credentials'))
# Once reached this the cookie is a good one. Renew it!
renew_cookie(cookie_name, username, serial)
if html.myfile != 'user_change_pw':
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(html.makeuri([])), result))
# Return the authenticated username
return username
def check_auth_cookie(cookie_name):
username, issue_time, cookie_hash = parse_auth_cookie(cookie_name)
check_parsed_auth_cookie(username, issue_time, cookie_hash)
# Check whether or not there is an idle timeout configured, delete cookie and
# require the user to renew the log when the timeout exceeded.
if userdb.login_timed_out(username, issue_time):
del_auth_cookie()
return
# Check whether or not a single user session is allowed at a time and the user
# is doing this request with the currently active session.
if config.single_user_session != None:
session_id = get_session_id_from_cookie(username)
if not userdb.is_valid_user_session(username, session_id):
del_auth_cookie()
return
# Once reached this the cookie is a good one. Renew it!
renew_cookie(cookie_name, username)
if html.myfile != 'user_change_pw':
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(html.makeuri([])), result))
# Return the authenticated username
return username
def do_login():
# handle the sent login form
err = None
if html.var('_login'):
try:
username = html.get_unicode_input('_username', '').rstrip()
if username == '':
raise MKUserError('_username', _('No username given.'))
password = html.var('_password', '')
if password == '':
raise MKUserError('_password', _('No password given.'))
origtarget = html.var('_origtarget')
# Disallow redirections to:
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
# - Full qualified URLs (http://...) to prevent redirection attacks
if not origtarget or "logout.py" in origtarget or 'side.py' in origtarget or '://' in origtarget:
origtarget = defaults.url_prefix + 'check_mk/'
# None -> User unknown, means continue with other connectors
# '<user_id>' -> success
# False -> failed
result = userdb.hook_login(username, password)
if result:
# use the username provided by the successful login function, this function
# might have transformed the username provided by the user. e.g. switched
# from mixed case to lower case.
username = result
# When single user session mode is enabled, check that there is not another
# active session
userdb.ensure_user_can_init_session(username)
# reset failed login counts
userdb.on_succeeded_login(username)
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
# c) Redirect to really requested page
create_auth_session(username)
# Never use inplace redirect handling anymore as used in the past. This results
# in some unexpected situations. We simpy use 302 redirects now. So we have a
# clear situation.
# userdb.need_to_change_pw returns either False or the reason description why the
# password needs to be changed
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(origtarget), result))
else:
html.http_redirect(origtarget)
else:
userdb.on_failed_login(username)
raise MKUserError(None, _('Invalid credentials.'))
except MKUserError, e:
html.add_user_error(e.varname, e)
return "%s" % e
def do_login():
# handle the sent login form
if html.var('_login'):
try:
username = html.get_unicode_input('_username', '').rstrip()
if username == '':
raise MKUserError('_username', _('No username given.'))
password = html.var('_password', '')
if password == '':
raise MKUserError('_password', _('No password given.'))
origtarget = html.var('_origtarget')
# Disallow redirections to:
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
# - Full qualified URLs (http://...) to prevent redirection attacks
if not origtarget or "logout.py" in origtarget or 'side.py' in origtarget or '://' in origtarget:
origtarget = config.url_prefix() + 'check_mk/'
# None -> User unknown, means continue with other connectors
# '<user_id>' -> success
# False -> failed
result = userdb.hook_login(username, password)
if result:
# use the username provided by the successful login function, this function
# might have transformed the username provided by the user. e.g. switched
# from mixed case to lower case.
username = result
# When single user session mode is enabled, check that there is not another
# active session
userdb.ensure_user_can_init_session(username)
# reset failed login counts
userdb.on_succeeded_login(username)
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
# c) Redirect to really requested page
create_auth_session(username)
# Never use inplace redirect handling anymore as used in the past. This results
# in some unexpected situations. We simpy use 302 redirects now. So we have a
# clear situation.
# userdb.need_to_change_pw returns either False or the reason description why the
# password needs to be changed
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(origtarget), result))
else:
html.http_redirect(origtarget)
else:
userdb.on_failed_login(username)
raise MKUserError(None, _('Invalid credentials.'))
except MKUserError, e:
html.add_user_error(e.varname, e)
return "%s" % e
def check_auth_cookie(cookie_name):
username, issue_time, cookie_hash = parse_auth_cookie(cookie_name)
serial = check_parsed_auth_cookie(username, issue_time, cookie_hash)
# Once reached this the cookie is a good one. Renew it!
renew_cookie(cookie_name, username, serial)
if html.myfile != 'user_change_pw':
result = userdb.need_to_change_pw(username)
if result:
html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' %
(html.urlencode(html.makeuri([])), result))
# Return the authenticated username
return username
