search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.91k stars 2.65k forks source link

Overriding nonce verification in the login form #1636

Closed anonymous-matomo-user closed 14 years ago

anonymous-matomo-user commented 14 years ago

To enable direct login to Piwik from my Virtualmin Piwik plugin, I am posting pre-set username-password combinations to Piwik through a frame. Cookies are be preserved (client-side) by pre-loading Piwik in a hidden iframe. However, it gets stuck with nonce validation inside the Login module where the nonce is checked against a form variable.

This works perfectly when nonce verification is bypassed.

- if(Piwik_Nonce::verifyNonce('Piwik_Login.login', $nonce))
+ if(true || Piwik_Nonce::verifyNonce('Piwik_Login.login', $nonce))

I have seen and worked around similar security checks in phpMyAdmin. But there's one noticible difference between Piwik and phpMyAdmin. Unlike Piwik, phpMyAdmin checks for the token in a cookie variable.

Nobody would want nonce check removed including me. However, it would be great if Piwik supports third-party/framed logins without any patches or implementation of just another full-featured login module. Ideally, I am thinking about two possible ways around this:

  1. A new API method which would supply a nonce to trusted third-party scripts.
+ UsersManager.getAuthNonce (userLogin, clientUserAgent)
  1. Rellocating the nonce from login form to a cookie. (By setting proper privacy headers, cookies from iframe'd sites can be preserved on client side. But form variables from inside iframe cannot be accessed.)
- $nonce = $form->getSubmitValue('form_nonce');
+ $nonce = $_COOKIE['auth_nonce'];

I would also like draw your attention to the issues users had recently with double requests from browsers/add-ons (see [1236]). Rellocating nonce to a short-lived cookie would most probably make a permanent solution to such future issues as well.

I am asking for this help here because the plugin I am working on is going to be released for public. Hence, I would prefer an official way to authenticate rather than patching or making complex additions to Piwik source.

robocoder commented 14 years ago

Use the Login module's logme() method.

anonymous-matomo-user commented 14 years ago

Wow, its already implemented. Thanks!