Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Experimental project
This is a sandbox project, which contains experimental code for developer use only.
Shared Secret API provides a mechanism for verifying that a token was generated by a trusted partner using a simple shared secret method.
Generates and validates tokens based on a shared secret (that is, a secret string known by both the website with this module and whoever you trust). In many cases, the entity that you trust is the website with this module - or your site.
Most commonly, it will be used to verify that a link was generated by a trusted entity.
The only current built-in validation is via URL parameters. Given params "s" and "t" this module can verify that the generating party is privy of the shared secret.
Users must define how long each secret hash/timestamp combination is valid.
By default, the shared secret is the site's hash salt. If you are using this module with third parties or clients, you can opt to define a custom shared secret which is stored in the database. There is a plan and path to allow users to store the secret in a separate file outside of we docroot, but this has not yet been implemented.
The original inspiration for this module came from a client that resells a drupal site developed by me. Some of that client's clients wanted to guarantee that no one could access their purchased (resold) site unless the referring URL was the client's domain. Obviously, $_SERVER['http_referrer'] isn't good enough, so I developed a way to verify that an incoming link was generated by a trusted party (either this site or a white-listed partner) by simply hashing the shared secret and the expiry timestamp and sending the hash and the expiry timestamp as params.
To validate, we just hash (md5) our known secret with the provided expiry timestamp and make sure it matches the provided hash... and we also check to make sure current time() is less than the provided (expiry) timstamp. If so, the link/user of the link/generator of the link can be considered verified.
I want to be clear about how this module goes about "validating" that someone knows the Shared Secret and provide an inconclusive list of how it might be possible to spoof.
Generator
Generator Knows
* Shared Secret
Generator Given
* Duration Valid (self provided)
Generate
1) Hash (concatenated) Secret + Duration.
2) Provide Receiver with:
a) hash
b) time() + Duration Valid
Validator
Validator Knows
* Shared Secret
Validator Given:
* Generator genrated hash
* Generator Duration
Validate
1) Hash (concatenated) Secret + Duration (provided by Genrator)
2) Compare hash to Given hash
3) Compate timestamp given to time()
Weaknesses
1) Discovery of Shared Secret? (Only unique to this module if user selects DB storage AND DB is compromised - Not our problem?)
2) Link is leaked (Problem of the white-lister?)
See Awthenticate.
Project information
Unsupported
Not supported (i.e. abandoned), and no longer being developed. Learn more about dealing with unsupported (abandoned) projects- Module categories: Security
- Created by balsama on , updated
