Cosign Filter Implementation in PHP

• Features
• Requirements
• Limitations
• Installation
• Examples
  • Simple Cosign client
  • Optional Cosign authentication
  • Page with output buffering
  • Page with logout
• Mailing lists (TODO)
• Bug reports
• README
• License
• History

Features

• Cosign v0/v2/v3 client protocol implementation in PHP only (no Apache module required)
• Cosign v3 validation service (compatible with Apache module implementation)
• Kerberos ticket retrieval support (not tested)
• Multiple Cosignd server support (DNS load balancing)
• Single source file, no external includes, very fast, low overhead
• APC cache friendly (no problems running with APC)

Requirements

• PHP-5.2.x or greater (tested in 5.2.12,13)
• SSL socket transport support (php configure option --with-openssl)
• Cosign Service Client Certificate and Private Key (don't use Web server Certificate in any case!)

Limitations

• No persistent cosignd server connections. SSL connection setup cost during cookie file validation, in default setup once per 60 seconds/client (no problem to handle hundreds of clients).
• No proxy support (it could be added, if requested).

Copyright

License

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of The Brno University of Technology not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. This software is supplied as is without expressed or implied warranties of any kind.

Brno University of Technology, Faculty of Information Technology
Bozetechova 2
612 66 Brno
Czech Republic

This software is based on the Cosign protocol specification and implementation.
Copyright (c) 2002 - 2004 Regents of The University of Michigan.
All Rights Reserved.

History

Feb 2010 - version 0.9 - initial public version

Simple Cosign client

<?php

include_once("cosign.php");

if (!cosign_auth()) {
	header("403 Not Authorized");
	exit();
}

?>
<html>
<head>Simple Cosign protected page</head>
</html>
<body>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

</body>
</html>

Optional Cosign Authentication

<?php

include_once("cosign.php");

if (isset($_COOKIE[$cosign_cfg['CosignService']]) || $_REQUEST['dologin']) {
    $authenticated = cosign_auth();
} else {
    $authenticated = false;
}

?>
<html>
<head>Simple Optional Cosign protected page</head>
</html>
<body>
<?php>
if ($authenticated) {
?>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

<?php } else { ?>
<h1>Not Authenticated</h1>

<a href="$PHP_SELF?dologin=1">Click here to login</a>
<?php } ?>
</body>
</html>

Page with Output Buffering

<?php
ob_start();
include_once("cosign.php");

if (!cosign_auth(array(), false)) {
	header("403 Not Authorized");
	exit();
}

?>
<html>
<head>Cosign protected page</head>
</html>
<body>
<?php>
if ($authenticated) {
?>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

<?php } else { ?>
<h1>Not Authenticated</h1>

<a href="$PHP_SELF?dologin=1">Click here to login</a>
<?php } ?>
</body>
</html>

Page With Logout

<?php

include_once("cosign.php");

if (!cosign_auth(array(), false)) {
	header("403 Not Authorized");
	exit();
}

?>
<html>
<head>Cosign protected page</head>
</html>
<body>
<?php>
if ($authenticated) {
?>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

<a href="<?php echo $cosign_cfg['CosignRedirect']."/logout.cgi"; ?>">Log Out</a>

<?php } else { ?>
<h1>Not Authenticated</h1>

<a href="$PHP_SELF?dologin=1">Click here to login</a>
<?php } ?>
</body>
</html>