Cosign Filter Implementation in PHP

• Features
• Requirements
• Limitations
• Installation
• Examples
  • Simple Cosign client
  • Optional Cosign authentication
  • Page with output buffering
  • Page with logout
• Mailing lists (TODO)
• Bug reports
• README
• License
• History

Features

• Cosign v0/v2/v3 client protocol implementation in PHP only (no Apache module required)
• Cosign v3 validation service (compatible with Apache module implementation)
• Kerberos ticket retrieval support (not tested)
• Multiple Cosignd server support (DNS load balancing)
• Single source file, no external includes, very fast, low overhead
• APC cache friendly (no problems running with APC)

Requirements

• PHP-5.2.x or greater (tested in 5.2.12-17)
• NOTICE: It doesn't work in buggy version 5.3.9 and 5.3.10 (or google patched 5.2.17), the reason is bug in stream_get_line().
• SSL socket transport support (php configure option --with-openssl)
• Cosign Service Client Certificate and Private Key (don't use Web server Certificate in any case!)

Limitations

• No persistent cosignd server connections. SSL connection setup cost during cookie file validation, in default setup once per 60 seconds/client (no problem to handle hundreds of clients).
• No proxy support (it could be added, if requested).
• Factor support not tested.

Copyright

License

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of The Brno University of Technology not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. This software is supplied as is without expressed or implied warranties of any kind.

Brno University of Technology, Faculty of Information Technology
Bozetechova 2
612 66 Brno
Czech Republic

This software is based on the Cosign protocol specification and implementation.
Copyright (c) 2002 - 2004 Regents of The University of Michigan.
All Rights Reserved.

History

Feb 2010 - version 0.9 - initial public version

May 2012 - version 0.9.1 - typo in stream_socket_client

Simple Cosign client

<?php

include_once("cosign.php");

if (!cosign_auth()) {
	header("403 Not Authorized");
	exit();
}

?>
<html>
<head>Simple Cosign protected page</head>
</html>
<body>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

</body>
</html>

Optional Cosign Authentication

<?php

include_once("cosign.php");

// even if Cosign cookie is set, cosign_auth() must be called every time to check its validity
if (isset($_COOKIE[$cosign_cfg['CosignService']]) || $_REQUEST['dologin']) {
    $authenticated = cosign_auth();
} else {
    $authenticated = false;
}

?>
<html>
<head>Simple Optional Cosign protected page</head>
</html>
<body>
<?php
if ($authenticated) {
?>
<h1>Successfull Authentication</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

<?php } else { ?>
<h1>Not Authenticated</h1>

<a href="<?php echo $_SERVER['PHP_SELF']; ?>?dologin=1">Click here to login</a>
<?php } ?>
</body>
</html>

Page with Output Buffering

<?php
ob_start();
include_once("cosign.php");

if (!cosign_auth(array(), false)) {
	header("403 Not Authorized");
	exit();
}

?>
<html>
<head>Cosign protected page</head>
</html>
<body>
<h1>Cosign protected page</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

</body>
</html>

Page With Logout

<?php

include_once("cosign.php");

if (!cosign_auth()) {
	header("403 Not Authorized");
	exit();
}

?>
<html>
<head>Cosign protected page</head>
</html>
<body>
<h1>Cosign protected page</h1>

Your login is <b><?php echo $_SERVER['REMOTE_USER']; ?></b>

<p><a href="<?php echo $cosign_cfg['CosignRedirect']."/logout.cgi"; ?>">Log Out</a>

</body>
</html>