RE: [OT-ish] Session refresh philosophy

Tue, 19 Feb 2002 18:53:51 -0800 


David Harris [[EMAIL PROTECTED]] wrote:
[snip]
> I've attached some code. To use the code, you'll have to replace the
> module FreezeThawLite with Storable. Also, beware the \r\n newlines.
> (I pulled this out of CVS on my windows desktop.)

I forgot to actually attach the code....

David



package Fusion::FormContainer;
use strict;

use Digest::MD5 ();
use MIME::Base64 ();
use FreezeThawLight ();
use Compress::Zlib ();

use Carp;

# this respresents a securty hole if we open-source this module.. the securtiy string
# needs to be passed as confguration at that point somehow.

sub _create_security_string
{
        my $string = shift;

        my $secret = <<EOT;
--begin-secret--
enter your own secret binary of base64 encoded data here
enter your own secret binary of base64 encoded data here
enter your own secret binary of base64 encoded data here
enter your own secret binary of base64 encoded data here
-end-secret--
EOT

        my $ctx = Digest::MD5->new;
        $ctx->add($string);
        $ctx->add($secret);
        return $ctx->hexdigest;
}

sub encode
{
        my $info = shift;
        my $prefix = shift;

        my $string = 
MIME::Base64::encode(Compress::Zlib::compress(FreezeThawLight::freeze($info)));
        $string =~ s/\n$//;

        my @array;

        push @array, ("${prefix}_fc_security", _create_security_string($string));

        my $part_number = 0;
        foreach my $part ( split "\n", $string ) {
                my $part_number_string = sprintf("%.3d", $part_number);
                push @array, ("${prefix}_fc_part$part_number_string", $part);
                $part_number++;
        }

        if ( wantarray ) {
                return @array;
        } else {
                my $html;
                while ( @array ) {
                        my $name = shift(@array);
                        my $value = shift(@array);
                        $html .= <<EOT;
<input type="hidden" name="$name" value="$value">
EOT
                }
                return $html;
        }
}

sub decode
{
        my $apr = shift;
        my $prefix = shift;

        my $security = $apr->param("${prefix}_fc_security");

        my @string_parts;
        my $part_number = 0;
        while ( 1 ) {
                my $part_number_string = sprintf("%.3d", $part_number);
                my $part = $apr->param("${prefix}_fc_part$part_number_string");
                last if ( $part eq "" );
                push @string_parts, $part;
                $part_number++;
        }
        my $string = join "\n", @string_parts;

        croak "tampered or malformed FormContainer: securty string and string don't 
match"
                if ( _create_security_string($string) ne $security );

        return 
FreezeThawLight::thaw(Compress::Zlib::uncompress(MIME::Base64::decode($string)));
}

1;

Reply via email to