Skip to content

Instantly share code, notes, and snippets.

@tmcw tmcw/mollom.module
Created Dec 23, 2008

What would you like to do?
* This function generate an array with all the information required to
* authenticate against Mollom. To prevent that requests are forged and
* that you are impersonated, each request is signed with a hash computed
* based on a private key and a timestamp.
* Both the client and the server share the secret key that is used to
* create the authentication hash based on a timestamp. They both hash
* the timestamp with the secret key, and if the hashes match, the
* authenticity of the message has been validated.
* To avoid that someone can intercept a (hash, timestamp)-pair and
* use that to impersonate a client, Mollom will reject the request
* when the timestamp is more than 15 minutes off.
* Make sure your server's time is synchronized with the world clocks,
* and that you don't share your private key with anyone else.
function _mollom_authentication() {
$public_key = variable_get('mollom_public_key', '');
$private_key = variable_get('mollom_private_key', '');
// Generate a timestamp according to the dateTime format (
$time = gmdate("Y-m-d\TH:i:s.\\0\\0\\0O", time());
// Generate a random number:
$nonce = md5(mt_rand());
// Calculate a HMAC-SHA1 according to RFC2104 (
$hash = base64_encode(
pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x5c), 64))) .
pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x36), 64))) .
$time .':'. $nonce .':'. $private_key))))
// Store everything in an array. Elsewhere in the code, we'll add the
// actual data before we pass it onto the XML-RPC library:
$data['public_key'] = $public_key;
$data['time'] = $time;
$data['hash'] = $hash;
$data['nonce'] = $nonce;
return $data;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.