From 7172dbc0d546b2eec19b87ad2b9812242fa2219d Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 15 Feb 2008 13:17:16 +0100
Subject: [PATCH] Make session reference file check overridable for auth
 backends

darcs-hash:20080215121716-7ad00-35d275212e0e3c41626ed64d9096aad10f4ad2db.gz
---
 inc/auth.php             |  2 +-
 inc/auth/basic.class.php | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/inc/auth.php b/inc/auth.php
index 48888da1e..5c60f8a35 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -157,7 +157,7 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
     if($user && $pass){
       // we got a cookie - see if we can trust it
       if(isset($session) &&
-        ($session['time'] >= @filemtime($conf['cachedir'].'/sessionpurge')) &&
+        $auth->useSessionCache($user) &&
         ($session['time'] >= time()-$conf['auth_security_timeout']) &&
         ($session['user'] == $user) &&
         ($session['pass'] == $pass) &&  //still crypted
diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php
index bf251bae0..c3bb9d32e 100644
--- a/inc/auth/basic.class.php
+++ b/inc/auth/basic.class.php
@@ -290,5 +290,35 @@ class auth_basic {
     return array();
   }
 
+  /**
+   * Check Session Cache validity [implement only where required/possible]
+   *
+   * DokuWiki caches user info in the user's session for the timespan defined
+   * in $conf['securitytimeout'].
+   *
+   * This makes sure slow authentication backends do not slow down DokuWiki.
+   * This also means that changes to the user database will not be reflected
+   * on currently logged in users.
+   *
+   * To accommodate for this, the user manager plugin will touch a reference
+   * file whenever a change is submitted. This function compares the filetime
+   * of this reference file with the time stored in the session.
+   *
+   * This reference file mechanism does not reflect changes done directly in
+   * the backend's database through other means than the user manager plugin.
+   *
+   * Fast backends might want to return always false, to force rechecks on
+   * each page load. Others might want to use their own checking here. If
+   * unsure, do not override.
+   *
+   * @param  string $user - The username
+   * @author Andreas Gohr <andi@splitbrain.org>
+   * @return bool
+   */
+  function useSessionCache($user){
+    global $conf;
+    return ($_SESSION[DOKU_COOKIE]['auth']['time'] >= @filemtime($conf['cachedir'].'/sessionpurge'));
+  }
+
 }
 //Setup VIM: ex: et ts=2 enc=utf-8 :
-- 
GitLab