LP#
1348731: Optional Auth login nonce to differentiate same-username logins
If multiple login attempts are made using the same username within a
very short period of time, a race condition exists where, upon
completion of the first login, the auth init cache data for any pending
logins are removed, since there can only be one instance of cached init
data per username.
This adds support for allowing the caller to pass in a random string
which is added to the cache key as a way to differentiate between logins
using the same username.
The seed is passed into auth init as an optional secondary parameter
and passed again (via the "nonce" argument) to auth complete to ensure
consistent cache keys across both interactions.
Example:
my $nonce = rand($$);
my $seed = request(
'open-ils.auth',
'open-ils.auth.authenticate.init', $username, $nonce );
my $response = request(
'open-ils.auth',
'open-ils.auth.authenticate.complete',
{
username => $username,
password => md5_hex($seed . md5_hex($password)),
type => 'opac',
nonce => $nonce
}
);
The race condition has been observed with the SIP2 gateway when
multiple devices have been configured to use the same account.
Signed-off-by: Bill Erickson <berick@esilibrary.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Mike Rylander <mrylander@gmail.com>
projects / Evergreen.git / commit