From 280a9b6cf6dace7b773e8ebb9ac4d5b7cf097a16 Mon Sep 17 00:00:00 2001
From: Laura Hild <lshild@wm.edu>
Date: Thu, 7 Aug 2014 12:43:52 -0400
Subject: [PATCH] Symphony: improve getSessionToken() comments

---
 .../VuFind/src/VuFind/ILS/Driver/Symphony.php | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/module/VuFind/src/VuFind/ILS/Driver/Symphony.php b/module/VuFind/src/VuFind/ILS/Driver/Symphony.php
index 1dbf239798d..88e05d51ebf 100644
--- a/module/VuFind/src/VuFind/ILS/Driver/Symphony.php
+++ b/module/VuFind/src/VuFind/ILS/Driver/Symphony.php
@@ -193,18 +193,30 @@ class Symphony extends AbstractBase implements ServiceLocatorAwareInterface
     }
 
     /**
-     * Return or create the session token for current session.
+     * Return a SymWS session token for given credentials.
+     *
+     * To avoid needing to repeatedly log in the same user,
+     * cache acquired session tokens by the credentials provided.
+     * If the cached session token is expired or otherwise defective,
+     * the caller can use the $reset parameter.
      *
      * @param string  $login    The login account name
      * @param string  $password The login password
-     * @param boolean $reset    If true, replace the currently cached token
+     * @param boolean $reset    If true, replace any currently cached token
      *
-     * @return string The session token for the active session
+     * @return string The session token
      */
-    protected function getSessionToken($login, $password, $reset = false)
+    protected function getSessionToken($login, $password = null, $reset = false)
     {
         static $sessionTokens = array();
 
+        // If we keyed only by $login, we might mistakenly retrieve a valid
+        // session token when provided with an invalid password.
+        // We hash the credentials to reduce the potential for
+        // incompatibilities with key limitations of whatever cache backend
+        // an administrator might elect to use for session tokens,
+        // and though more expensive, we use a secure hash because
+        // what we're hashing contains a password.
         $key = hash('sha256', "$login:$password");
 
         if (!isset($sessionTokens[$key]) || $reset) {
@@ -212,15 +224,12 @@ class Symphony extends AbstractBase implements ServiceLocatorAwareInterface
                 $sessionTokens[$key] = $token;
             } else {
                 $params = array('login' => $login);
-
                 if (isset($password)) {
                     $params['password'] = $password;
                 }
 
                 $response = $this->makeRequest('security', 'loginUser', $params);
-
                 $sessionTokens[$key] = $response->sessionToken;
-
                 $_SESSION['symws']['session'] = $sessionTokens;
             }
         }
-- 
GitLab