Contains functions used to do authentication.

Dependencies: functions/global.php functions/strings.php.

cram_md5_response (line 149)

Given the challenge from the server, supply the response using cram-md5 (See RFC 2195 for details)

  • return: The response to be sent to the IMAP server
  • since: 1.4.0
string cram_md5_response (string $username, string $password, string $challenge)
  • string $username: User ID
  • string $password: User password supplied by User
  • string $challenge: The challenge supplied by the server
digest_md5_parse_challenge (line 235)

Parse Digest-MD5 challenge.

This function parses the challenge sent during DIGEST-MD5 authentication and returns an array. See the RFC for details on what's in the challenge string.

  • return: Digest-MD5 challenge decoded data
  • since: 1.4.0
array digest_md5_parse_challenge (string $challenge)
  • string $challenge: Digest-MD5 Challenge
digest_md5_response (line 173)

Return Digest-MD5 response.

Given the challenge from the server, calculate and return the response-string for digest-md5 authentication. (See RFC 2831 for more details)

  • return: The response to be sent to the IMAP server
  • since: 1.4.0
string digest_md5_response (string $username, string $password, string $challenge, string $service, string $host, [string $authz = ''])
  • string $username: User ID
  • string $password: User password supplied by User
  • string $challenge: The challenge supplied by the server
  • string $service: The service name, usually 'imap'; it is used to define the digest-uri.
  • string $host: The host name, usually the server's FQDN; it is used to define the digest-uri.
  • string $authz: Authorization ID (since 1.5.2)
get_smtp_user (line 346)

Fillin user and password based on SMTP auth settings.

  • since: 1.4.11
void get_smtp_user ( &$user,  &$pass, string $user, string $pass)
  • string $user: Reference to SMTP username
  • string $pass: Reference to SMTP password (unencrypted)
  • &$user
  • &$pass
hmac_md5 (line 299)

Creates a HMAC digest that can be used for authentication purposes See RFCs 2104, 2617, 2831

Uses PHP's Hash extension if available (enabled by default in PHP 5.1.2+ - see http://www.php.net/manual/en/hash.requirements.php or, if installed on earlier PHP versions, the PECL hash module - see http://pecl.php.net/package/hash

Otherwise, will attempt to use the Mhash extension - see http://www.php.net/manual/en/mhash.requirements.php

Finally, a fall-back custom implementation is used if none of the above are available.

  • return: The HMAC-MD5 digest string
  • since: 1.4.0
string hmac_md5 (string $data, [string $key = ''])
  • string $data: The data to be encoded/hashed
  • string $key: The (shared) secret key that will be used to build the keyed hash. This argument is technically optional, but only for internal use (when the custom hash implementation is being used) - external callers should always specify a value for this argument.
sqauth_is_logged_in (line 51)

Detect whether user is logged in

Function is similar to is_logged_in() function. If user is logged in, function returns true. If user is not logged in or session is expired, function saves $_POST and PAGE_NAME in session and returns false. POST information is saved in 'session_expired_post' variable, PAGE_NAME is saved in 'session_expired_location'.

This function optionally checks the referrer of this page request. If the administrator wants to impose a check that the referrer of this page request is another page on the same domain (otherwise, the page request is likely the result of a XSS or phishing attack), then they need to specify the acceptable referrer domain in a variable named $check_referrer in config/config.php (or the configuration tool) for which the value is usually the same as the $domain setting (for example: $check_referrer = 'example.com'; However, in some cases (where proxy servers are in use, etc.), the acceptable referrer might be different. If $check_referrer is set to "###DOMAIN###", then the current value of $domain is used (useful in situations where $domain might change at runtime (when using the Login Manager plugin to host multiple domains with one SquirrelMail installation, for example)): $check_referrer = '###DOMAIN###'; NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed by browsers, and some browsers intentionally don't send them, in which case SquirrelMail silently ignores referrer checks.

Script that uses this function instead of is_logged_in() function, must handle user level messages.

  • since: 1.5.1
boolean sqauth_is_logged_in ()
sqauth_read_password (line 95)

Reads and decodes stored user password information

Direct access to password information is deprecated.

  • return: password in plain text
  • since: 1.5.1
string sqauth_read_password ()
sqauth_save_password (line 129)

Saves or updates user password information

This function is used to update the password information that SquirrelMail stores in the existing PHP session. It does NOT modify the password stored in the authentication system used by the IMAP server.

This function must be called before any html output is started. Direct access to password information is deprecated. The saved password information is available only to the SquirrelMail script that is called/executed AFTER the current one. If your script needs access to the saved password after a sqauth_save_password() call, use the returned OTP encrypted key.

  • return: Password encrypted with OTP. In case the script wants to access the password information before the end of its execution.
  • since: 1.5.1
string sqauth_save_password (string $pass)
  • string $pass: password

Documentation generated on Tue, 17 Apr 2018 04:22:10 +0200 by phpDocumentor 1.4.3