uakfdotb · August 29, 2015 14:03
diff --git a/gistfile1.txt b/gistfile1.txt
 <?php

 //here we assume $session is your session key-value store (replace with $_SESSION to use PHP's default; you'll need session_start at the top)
 //custom_redirect should handle redirects without sending permanent redirect code

 if(!isset($_SERVER['SSL_CLIENT_VERIFY']) || $_SERVER['SSL_CLIENT_VERIFY'] != 'SUCCESS') {
 	die("Invalid client-side SSL certificate: invalid SSL_CLIENT_VERIFY.");
 }

 if(!isset($_SERVER['SSL_CLIENT_I_DN_O']) || $_SERVER['SSL_CLIENT_I_DN_O'] != 'YOUR_CA_ORGANIZATION_FIELD') {
 	die("Invalid client-side SSL certificate: mismatch SSL_CLIENT_I_DN_O.");
 }

 if(!isset($_SERVER['SSL_CLIENT_S_DN_CN'])) {
 	die("Invalid client-side certificate: missing CN.");
 }

 if(!isset($_SERVER['SSL_CLIENT_M_SERIAL'])) {
 	die("Invalid client-side certificate: missing serial.");
 }

 if(isset($session['user_id'])) {
 	custom_redirect("/authenticated_area");
 } else {
 	$result = database_query("SELECT users.id FROM users, certificates WHERE users.id = certificates.user_id AND users.email = ? AND certificates.serial = ?", array($_SERVER['SSL_CLIENT_S_DN_CN'], $_SERVER['SSL_CLIENT_M_SERIAL']));
 	
 	if($row = $result->fetch()) {
 		$session['user_id'] = $row['id'];
 		custom_redirect("/authenticated_area");
 	} else {
 		die('go away');
 	}
 }

 ?>
	<?php

	//here we assume $session is your session key-value store (replace with $_SESSION to use PHP's default; you'll need session_start at the top)
	//custom_redirect should handle redirects without sending permanent redirect code

	if(!isset($_SERVER['SSL_CLIENT_VERIFY']) \|\| $_SERVER['SSL_CLIENT_VERIFY'] != 'SUCCESS') {
	die("Invalid client-side SSL certificate: invalid SSL_CLIENT_VERIFY.");
	}

	if(!isset($_SERVER['SSL_CLIENT_I_DN_O']) \|\| $_SERVER['SSL_CLIENT_I_DN_O'] != 'YOUR_CA_ORGANIZATION_FIELD') {
	die("Invalid client-side SSL certificate: mismatch SSL_CLIENT_I_DN_O.");
	}

	if(!isset($_SERVER['SSL_CLIENT_S_DN_CN'])) {
	die("Invalid client-side certificate: missing CN.");
	}

	if(!isset($_SERVER['SSL_CLIENT_M_SERIAL'])) {
	die("Invalid client-side certificate: missing serial.");
	}

	if(isset($session['user_id'])) {
	custom_redirect("/authenticated_area");
	} else {
	$result = database_query("SELECT users.id FROM users, certificates WHERE users.id = certificates.user_id AND users.email = ? AND certificates.serial = ?", array($_SERVER['SSL_CLIENT_S_DN_CN'], $_SERVER['SSL_CLIENT_M_SERIAL']));

	if($row = $result->fetch()) {
	$session['user_id'] = $row['id'];
	custom_redirect("/authenticated_area");
	} else {
	die('go away');
	}
	}

	?>