I want to make a form that points to a non-Drupal PHP script, but I want to make reasonable efforts to ensure that the user is logged into Drupal and that I record the Drupal user id when he submits the form.
I need PHP to get the Drupal user id.
I'm struggling to find a secure way to send the data. The data is not secret, I just don't want the Drupal user id to be forged. So far what I have in mind is to take the HMAC of the Drupal user id and a timestamp:
<? global $user; $data = ($user->id) . ':' . time(); $hmac = hash_hmac('sha256', $data, 's3kr3T'); ?>
Then the receiving script can check that the timestamp is recent and the data string and hmac match.
In practice, this should be enough, but I would still prefer to use something that didn't reply on an expiring timestamp.
Anyways, this is actually going on a tangent. Even if I don't use any HMAC at all, I still need Drupal just to get the Drupal user id.
Cheers, Daniel.
Michael Scappa wrote:
Pretty sure it has been this way for some time. It isn't something you want enabled unless you have a reason.
On Jan 29, 2010 5:58 PM, "Daniel Carrera" <daniel.carrera@theingots.org mailto:daniel.carrera@theingots.org> wrote:
Yeah. Thanks for the help anyways.
The fact that the PHP module is disabled by default must be a new feature/bug.
Cheers, Daniel.
Marty Landman wrote:
Sorry I didn't read that right.
At 05:28 PM 1/29/2010, you wrote:
E...