[prev in list] [next in list] [prev in thread] [next in thread]
List: squirrelmail-cvs
Subject: [SM-CVS] SF.net SVN: squirrelmail:[14273] trunk/squirrelmail
From: pdontthink () users ! sourceforge ! net
Date: 2012-02-07 22:51:58
Message-ID: E1RuttG-0006rf-SQ () sfp-svn-1 ! v30 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 14273
http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=14273&view=rev
Author: pdontthink
Date: 2012-02-07 22:51:58 +0000 (Tue, 07 Feb 2012)
Log Message:
-----------
Better performance by reducing token usage to only one at a time (also added an \
option to revert to old behavior if desired)
Modified Paths:
--------------
trunk/squirrelmail/doc/ChangeLog
trunk/squirrelmail/functions/strings.php
Modified: trunk/squirrelmail/doc/ChangeLog
===================================================================
--- trunk/squirrelmail/doc/ChangeLog 2012-02-07 22:50:13 UTC (rev 14272)
+++ trunk/squirrelmail/doc/ChangeLog 2012-02-07 22:51:58 UTC (rev 14273)
@@ -372,6 +372,7 @@
- Unified address book searches somewhat: file-backed address books now
search in each field individually; database-backed address books now
search in fields other than first/last name (nickname, email)
+ - Made performance improvements in security token handling
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------
Modified: trunk/squirrelmail/functions/strings.php
===================================================================
--- trunk/squirrelmail/functions/strings.php 2012-02-07 22:50:13 UTC (rev 14272)
+++ trunk/squirrelmail/functions/strings.php 2012-02-07 22:51:58 UTC (rev 14273)
@@ -1481,7 +1481,7 @@
* list ("old" is 2 days or
* older unless the administrator
* overrides that value using
- * $max_security_token_age in
+ * $max_token_age_days in
* config/config_local.php)
* (OPTIONAL; default is to always
* purge old tokens)
@@ -1523,6 +1523,15 @@
* the user's preferences with a timestamp for later
* verification/use.
*
+ * NOTE: The administrator can force SquirrelMail to generate
+ * a new token every time one is requested (which may increase
+ * obscurity through token randomness at the cost of some
+ * performance) by adding the following to
+ * config/config_local.php: $do_not_use_single_token = TRUE;
+ * Otherwise, only one token will be generated per user which
+ * will change only after it expires or is used outside of the
+ * validity period specified when calling sm_validate_security_token()
+ *
* WARNING: If the administrator has turned the token system
* off by setting $disable_security_tokens to TRUE in
* config/config.php or the configuration tool, this
@@ -1530,19 +1539,27 @@
* preferences (but it will still generate and return
* a random string).
*
+ * @param boolean $force_generate_new When TRUE, a new token will
+ * always be created even if current
+ * configuration dictates otherwise
+ * (OPTION; default FALSE)
+ *
* @return string A security token
*
* @since 1.4.19 and 1.5.2
*
*/
-function sm_generate_security_token()
+function sm_generate_security_token($force_generate_new=FALSE)
{
- global $data_dir, $username, $disable_security_tokens;
+ global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token;
$max_generation_tries = 1000;
$tokens = sm_get_user_security_tokens();
+ if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens))
+ return key($tokens);
+
$new_token = GenerateRandomString(12, '', 7);
$count = 0;
while (isset($tokens[$new_token]))
@@ -1573,7 +1590,7 @@
* is too old but otherwise valid, it will still be rejected.
*
* "Too old" is 2 days or older unless the administrator
- * overrides that value using $max_security_token_age in
+ * overrides that value using $max_token_age_days in
* config/config_local.php
*
* WARNING: If the administrator has turned the token system
@@ -1588,6 +1605,10 @@
* tokens to be reused for an hour)
* (OPTIONAL; default is to only allow tokens
* to be used once)
+ * NOTE this is unrelated to $max_token_age_days
+ * or rather is an additional time constraint on
+ * tokens that allows them to be re-used (or not)
+ * within a more narrow timeframe
* @param boolean $show_error Indicates that if the token is not
* valid, this function should display
* a generic error, log the user out
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic