def check_auth_cookie(cookie_name): username, issue_time, cookie_hash = parse_auth_cookie(cookie_name) check_parsed_auth_cookie(username, issue_time, cookie_hash) # Check whether or not there is an idle timeout configured, delete cookie and # require the user to renew the log when the timeout exceeded. if userdb.login_timed_out(username, issue_time): del_auth_cookie() return # Check whether or not a single user session is allowed at a time and the user # is doing this request with the currently active session. if config.single_user_session != None: session_id = get_session_id_from_cookie(username) if not userdb.is_valid_user_session(username, session_id): del_auth_cookie() return # Once reached this the cookie is a good one. Renew it! renew_cookie(cookie_name, username) if html.myfile != 'user_change_pw': result = userdb.need_to_change_pw(username) if result: html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(html.makeuri([])), result)) # Return the authenticated username return username
def check_auth_cookie(cookie_name): username, issue_time, cookie_hash = html.cookie(cookie_name, '::').split(':', 2) # FIXME: Ablauf-Zeit des Cookies testen #max_cookie_age = 10 #if float(issue_time) < time.time() - max_cookie_age: # del_auth_cookie() # return '' if not userdb.user_exists(username): raise MKAuthException(_('Username is unknown')) # Validate the hash serial = load_serial(username) if cookie_hash != generate_hash(username, issue_time, serial): raise MKAuthException(_('Invalid credentials')) # Once reached this the cookie is a good one. Renew it! renew_cookie(cookie_name, username, serial) if html.myfile != 'user_change_pw': result = userdb.need_to_change_pw(username) if result: html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(html.makeuri([])), result)) # Return the authenticated username return username
def do_login(): # handle the sent login form err = None if html.var('_login'): try: username = html.get_unicode_input('_username', '').rstrip() if username == '': raise MKUserError('_username', _('No username given.')) password = html.var('_password', '') if password == '': raise MKUserError('_password', _('No password given.')) origtarget = html.var('_origtarget') # Disallow redirections to: # - logout.py: Happens after login # - side.py: Happens when invalid login is detected during sidebar refresh # - Full qualified URLs (http://...) to prevent redirection attacks if not origtarget or "logout.py" in origtarget or 'side.py' in origtarget or '://' in origtarget: origtarget = defaults.url_prefix + 'check_mk/' # None -> User unknown, means continue with other connectors # '<user_id>' -> success # False -> failed result = userdb.hook_login(username, password) if result: # use the username provided by the successful login function, this function # might have transformed the username provided by the user. e.g. switched # from mixed case to lower case. username = result # When single user session mode is enabled, check that there is not another # active session userdb.ensure_user_can_init_session(username) # reset failed login counts userdb.on_succeeded_login(username) # The login succeeded! Now: # a) Set the auth cookie # b) Unset the login vars in further processing # c) Redirect to really requested page create_auth_session(username) # Never use inplace redirect handling anymore as used in the past. This results # in some unexpected situations. We simpy use 302 redirects now. So we have a # clear situation. # userdb.need_to_change_pw returns either False or the reason description why the # password needs to be changed result = userdb.need_to_change_pw(username) if result: html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(origtarget), result)) else: html.http_redirect(origtarget) else: userdb.on_failed_login(username) raise MKUserError(None, _('Invalid credentials.')) except MKUserError, e: html.add_user_error(e.varname, e) return "%s" % e
def do_login(): # handle the sent login form if html.var('_login'): try: username = html.get_unicode_input('_username', '').rstrip() if username == '': raise MKUserError('_username', _('No username given.')) password = html.var('_password', '') if password == '': raise MKUserError('_password', _('No password given.')) origtarget = html.var('_origtarget') # Disallow redirections to: # - logout.py: Happens after login # - side.py: Happens when invalid login is detected during sidebar refresh # - Full qualified URLs (http://...) to prevent redirection attacks if not origtarget or "logout.py" in origtarget or 'side.py' in origtarget or '://' in origtarget: origtarget = config.url_prefix() + 'check_mk/' # None -> User unknown, means continue with other connectors # '<user_id>' -> success # False -> failed result = userdb.hook_login(username, password) if result: # use the username provided by the successful login function, this function # might have transformed the username provided by the user. e.g. switched # from mixed case to lower case. username = result # When single user session mode is enabled, check that there is not another # active session userdb.ensure_user_can_init_session(username) # reset failed login counts userdb.on_succeeded_login(username) # The login succeeded! Now: # a) Set the auth cookie # b) Unset the login vars in further processing # c) Redirect to really requested page create_auth_session(username) # Never use inplace redirect handling anymore as used in the past. This results # in some unexpected situations. We simpy use 302 redirects now. So we have a # clear situation. # userdb.need_to_change_pw returns either False or the reason description why the # password needs to be changed result = userdb.need_to_change_pw(username) if result: html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(origtarget), result)) else: html.http_redirect(origtarget) else: userdb.on_failed_login(username) raise MKUserError(None, _('Invalid credentials.')) except MKUserError, e: html.add_user_error(e.varname, e) return "%s" % e
def check_auth_cookie(cookie_name): username, issue_time, cookie_hash = parse_auth_cookie(cookie_name) serial = check_parsed_auth_cookie(username, issue_time, cookie_hash) # Once reached this the cookie is a good one. Renew it! renew_cookie(cookie_name, username, serial) if html.myfile != 'user_change_pw': result = userdb.need_to_change_pw(username) if result: html.http_redirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(html.makeuri([])), result)) # Return the authenticated username return username