开发者

browserID server logout

开发者 https://www.devze.com 2023-04-05 20:34 出处:网络
so i found this browserid.org and then this [browserid.org/developers] and decided i would like to try this new authentication method that is browserID. after digging in to the only semi official exam

so i found this browserid.org and then this [browserid.org/developers] and decided i would like to try this new authentication method that is browserID. after digging in to the only semi official example i could find ( browserid_favbeer_example ) and flipping back and forth to the 3 easy steps page i am still puzzled. i searched around a bit and found one, the javascript implementation can be easily exploited (for right now) and two, from a very nice fellow, the example below. the first thing i noticed it missing was the logout. if anybody could be so kind as to help me complete the logout it would be much appreciated.

<?php
/*
 * Simple implementation of Mozilla BrowserID (see https://browserid.org/)
 * Author : Guillaume <guillaume@atto.be>
 */
/*
 * Usage :
 *
$browserid = new BrowserID('mywebserver.com', $_POST['assertion']);
if($browserid->verify_assertion())
{
      echo('Welcome, your email is '.$browserid->get_email());
}
 */
class BrowserID
{
  private $audience;
  private $assertion;
  private $email;
  private $validity;
  private $issuer;
  private function post_request($url, $data)
  {
    $params = array('http' => array('method' => 'POST', 'content' => $data));
      return stream_get_contents($fp);
    }
    else
    {
      return FALSE;
        }
      }
      public function BrowserID($audience, $assertion)
      {
        $this->audience = $audience;
        $this->assertion = $assertion;
      }
      /*
       * Send the assertion to the browserid.org server (this must be over HTTPS)
       * The response is r开发者_开发问答ead to determine is the assertion is authentic
       */
      public function verify_assertion()
      {
                if(isset($result['status']) && $result['status'] == 'okay')
        {
          $this->email = $result['email'];
          $this->validity = $result['valid-until'];
          $this->issuer = $result['issuer'];
          return true;
        }
        else
        {
          return false;
        }
      }
      public function get_email()
      {
    return $this->email;
  }
  public function get_validity()
    return $this->email;
  }
  public function get_validity()
 * Usage :
 *
$browserid = new BrowserID('mywebserver.com', $_POST['assertion']);
if($browserid->verify_assertion())
{
  echo('Welcome, your email is '.$browserid->get_email());
}
 */
class BrowserID
{
  private $audience;
  private $assertion;
  private $email;
  private $validity;
  private $issuer;
  private function post_request($url, $data)
  {
    $params = array('http' => array('method' => 'POST', 'content' => $data));
      return stream_get_contents($fp);
    }
    else
    {
      return FALSE;
    }
  }
  public function BrowserID($audience, $assertion)
  {
    $this->audience = $audience;
    $this->assertion = $assertion;
  }
  /*
   * Send the assertion to the browserid.org server (this must be over HTTPS)
   * The response is read to determine is the assertion is authentic
   */
  public function verify_assertion()
  {
    if(isset($result['status']) && $result['status'] == 'okay')
    {
      $this->email = $result['email'];
      $this->validity = $result['valid-until'];
      $this->issuer = $result['issuer'];
      return true;
    }
    else
    {
      return false;
    }
  }
  public function get_email()
  {
    return $this->email;
  }
  public function get_validity()
  {
    return $this->validity;
  }
  public function get_issuer()
  {
    return $this->issuer;
  }
}// end class BrowserID
$browserid = new BrowserID($_SERVER['HTTP_HOST'], $_POST['assertion']);
if($browserid->verify_assertion())
{
  echo('Welcome '.$browserid->get_email());
}
else
{
  echo('Identification failure');
}
?>


I hope it's not too late to answer your question. It was noticed in the BrowserID mailing list, but unfortunately no one came back here to answer you.

After you authenticate with BrowserID, you set an authentication cookie and based on the cookie you can determine if the user is valid. Then to log out, you offer the user a link that will have you delete that cookie.


Joe's answer is right, Persona doesn't replace your existing session management so you still have to create and delete your cookies.

However, the new Persona/BrowserID API now has a navigator.id.logout() function that you should call, as well as a "onlogout" callback inside the navigator.id.watch() where you specify what happens when users logout (i.e. cookies get deleted):

https://developer.mozilla.org/en-US/docs/DOM/navigator.id#ObserverMethods

0

精彩评论

暂无评论...
验证码 换一张
取 消