in src/main/java/org/apache/sling/auth/form/impl/TokenStore.java [216:260]
boolean isValid(String value) {
String[] parts = split(value);
if (parts.length == 3) {
// single digit token number
int tokenNumber = parts[1].charAt(0) - '0';
if (tokenNumber >= 0 && tokenNumber < currentTokens.length()) {
long cookieTime = Long.parseLong(parts[1].substring(1));
if (System.currentTimeMillis() < cookieTime) {
try {
SecretKey secretKey = currentTokens.get(tokenNumber);
if ( secretKey == null ) {
log.error("AuthNCookie value '{}' points to an unknown token number", value);
return false;
}
String hmac = encode(cookieTime, parts[2], tokenNumber,
secretKey);
return value.equals(hmac);
} catch (ArrayIndexOutOfBoundsException | InvalidKeyException | IllegalStateException |
NoSuchAlgorithmException e) {
log.error(e.getMessage(), e);
}
log.error("AuthNCookie value '{}' is invalid", value);
} else {
log.error("AuthNCookie value '{}' has expired {}ms ago",
value, (System.currentTimeMillis() - cookieTime));
}
} else {
log.error(
"AuthNCookie value '{}' is invalid: refers to an invalid token number {}",
value, tokenNumber);
}
} else {
log.error("AuthNCookie value '{}' has invalid format", value);
}
// failed verification, reason is logged
return false;
}