Cosign Filter Implementation in PHP

Download: cosign-php-1.1.tar.gz (tar.gz)

Features

  • Cosign v0/v2/v3 client protocol implementation in PHP only (no Apache module required)
  • Cosign v3 validation service (compatible with Apache module implementation)
  • Kerberos ticket retrieval support (not tested)
  • Multiple Cosignd server support (DNS load balancing)
  • Single source file, no external dependencies, fast, low overhead
  • APC/Opcache cache friendly (no problems running with APC/Opcache)

Requirements

  • PHP-5.3.x or newer (tested on 5.3, 5.6, 7.1, 7.2, 7.3)
  • NOTICE: It doesn't work in buggy version 5.3.9 and 5.3.10 (or google patched 5.2.17), the reason is bug in stream_get_line().
  • SSL socket transport support (php configure option --with-openssl)
  • Cosign Service Client Certificate and Private Key (don't use Web server Certificate for security reasons, see Installation)

Limitations

  • No persistent cosignd server connections. SSL connection setup cost during cookie validation, in default setup once per 60 seconds/client (no problem to handle hundreds of clients).
  • No proxy support.
  • Factor support not tested.

Copyright

Copyright (c) 2010 Petr Lampa, Faculty of Information Technology, Brno University of Technology
All Rights Reserved.

License

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of The Brno University of Technology not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. This software is supplied as is without expressed or implied warranties of any kind.

Faculty of Information Technology
Brno University of Technology
Bozetechova 2
612 00 Brno
Czech Republic

This software is based on the Cosign protocol specification and implementation.
Copyright (c) 2002 - 2004 Regents of The University of Michigan.
All Rights Reserved.

History

Feb 2010 - version 0.9 - initial public version

May 2012 - version 0.9.1 - typo in stream_socket_client

Nov 2018 - version 0.9.5 - updated for php-5.6, 7.1

Dec 2018 - version 0.9.8 - handle Service with dots, don't try all cosign servers if successful (contributed by Richard Aspden)

Apr 2020 - version 1.0 - fix stream crypto method setup

May 2020 - version 1.1 - more error checks

Simple Cosign client

If your script emits any output before the cosign_auth() call, you have to start output buffering using ob_start(), see Page with Output Buffering.
<?php

include_once("cosign.php");

if (!cosign_auth()) {
    header("HTTP/1.0 403 Not Authorized");
    exit();
}

?>
<html>
<head>Simple Cosign protected page</head>
</html>
<body>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo htmlspecialchars($_SERVER['REMOTE_USER']); ?></b>

</body>
</html>

Optional Cosign Authentication

<?php

include_once("cosign.php");

// even if Cosign cookie is set, cosign_auth() must be called every time to check its validity
// str_replace() is required only if your Service name contains '.'
if (isset($_COOKIE[str_replace('.', '_', $cosign_cfg['CosignService'])]) || 
    $_REQUEST['dologin']) {
    $authenticated = cosign_auth();
} else {
    $authenticated = false;
}

?>
<html>
<head>Simple Optional Cosign protected page</head>
</html>
<body>
<?php
if ($authenticated) {
?>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo htmlspecialchars($_SERVER['REMOTE_USER']); ?></b>

<?php } else { ?>
<h1>Not Authenticated</h1>

<a href="<?php echo htmlspecialchars($_SERVER['SCRIPT_NAME']); ?>?dologin=1">Click here to login</a>
<?php } ?>
</body>
</html>

Page with Output Buffering

The cosign_auth() without arguments starts output buffering, if output buffering was started earlier, yoy have to call cosign_auth() with the second argument false:
<?php
ob_start();
?>
<html>
<head>Cosign protected page</head>
</html>
<body>
<h1>Cosign protected page</h1>

<?php
include_once("cosign.php");

if (!cosign_auth(array(), false)) {
    echo "Authenticatin failed";
} else {
    echo "Your login is <b>".htmlspecialchars($_SERVER['REMOTE_USER'])."</b>";
}
?>

</body>
</html>

Page With Logout

<?php

include_once("cosign.php");

if (!cosign_auth()) {
    header("HTTP/1.0 403 Not Authorized");
    exit();
}

?>
<html>
<head>Cosign protected page</head>
</html>
<body>
<h1>Cosign protected page</h1>

Your login is <b><?php echo htmlspecialchars($_SERVER['REMOTE_USER']); ?></b>

<p><a href="<?php echo htmlspecialchars($cosign_cfg['CosignRedirect']."/logout.cgi"); ?>">Log Out</a>

</body>
</html>

© 2012 Faculty of Information Technology BUT
Last modification: Wed Feb 22 12:21:03 2023