webssl-auth

gistfile1.txt

<?php

//here we assume $session is your session key-value store (replace with $_SESSION to use PHP's default; you'll need session_start at the top)
//custom_redirect should handle redirects without sending permanent redirect code

if(!isset($_SERVER['SSL_CLIENT_VERIFY']) || $_SERVER['SSL_CLIENT_VERIFY'] != 'SUCCESS') {
	die("Invalid client-side SSL certificate: invalid SSL_CLIENT_VERIFY.");
}

if(!isset($_SERVER['SSL_CLIENT_I_DN_O']) || $_SERVER['SSL_CLIENT_I_DN_O'] != 'YOUR_CA_ORGANIZATION_FIELD') {
	die("Invalid client-side SSL certificate: mismatch SSL_CLIENT_I_DN_O.");
}

if(!isset($_SERVER['SSL_CLIENT_S_DN_CN'])) {
	die("Invalid client-side certificate: missing CN.");
}

if(!isset($_SERVER['SSL_CLIENT_M_SERIAL'])) {
	die("Invalid client-side certificate: missing serial.");
}

if(isset($session['user_id'])) {
	custom_redirect("/authenticated_area");
} else {
	$result = database_query("SELECT users.id FROM users, certificates WHERE users.id = certificates.user_id AND users.email = ? AND certificates.serial = ?", array($_SERVER['SSL_CLIENT_S_DN_CN'], $_SERVER['SSL_CLIENT_M_SERIAL']));
	
	if($row = $result->fetch()) {
		$session['user_id'] = $row['id'];
		custom_redirect("/authenticated_area");
	} else {
		die('go away');
	}
}

?>