From 005504ae6da262cdeb7541519d35fcb62e36afff Mon Sep 17 00:00:00 2001 From: laf Date: Mon, 3 Feb 2014 22:32:45 +0000 Subject: [PATCH] Updated session / cookie support --- html/includes/authenticate.inc.php | 52 ++++++++++++++----- .../includes/authentication/http-auth.inc.php | 5 ++ html/includes/authentication/ldap.inc.php | 5 ++ html/includes/authentication/mysql.inc.php | 16 ++++++ includes/defaults.inc.php | 1 + sql-schema/029.sql | 2 + 6 files changed, 67 insertions(+), 14 deletions(-) create mode 100644 sql-schema/029.sql diff --git a/html/includes/authenticate.inc.php b/html/includes/authenticate.inc.php index b68073af7f..005f426cae 100644 --- a/html/includes/authenticate.inc.php +++ b/html/includes/authenticate.inc.php @@ -1,6 +1,8 @@ Temp Directory is not writable ({$config['tmp_dir']}). Graphing may fail."); } +// Clear up any old sessions +dbDelete('session', "`session_expiry` < ?", array(time())); + if ($vars['page'] == "logout" && $_SESSION['authenticated']) { dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged Out'), 'authlog'); + dbDelete('session', "`session_username` = ? AND session_value = ?", array($_SESSION['username'],$_COOKIE['sess_id'])); unset($_SESSION); + unset($_COOKIE); + setcookie ("sess_id", "", time() - 60*60*24*$config['auth_remember'], "/"); + setcookie ("token", "", time() - 60*60*24*$config['auth_remember'], "/"); + setcookie ("auth", "", time() - 60*60*24*$config['auth_remember'], "/"); session_destroy(); - setcookie ("username", "", time() - 60*60*24*100, "/"); - setcookie ("password", "", time() - 60*60*24*100, "/"); $auth_message = "Logged Out"; header('Location: /'); exit; } -if (isset($_GET['username']) && isset($_GET['password'])) -{ - $_SESSION['username'] = mres($_GET['username']); - $_SESSION['password'] = $_GET['password']; -} elseif (isset($_POST['username']) && isset($_POST['password'])) { +// We are only interested in login details passed via POST. +if (isset($_POST['username']) && isset($_POST['password'])) { $_SESSION['username'] = mres($_POST['username']); $_SESSION['password'] = $_POST['password']; -} elseif (isset($_COOKIE['username']) && isset($_COOKIE['password'])) { - $_SESSION['username'] = mres($_COOKIE['username']); - $_SESSION['password'] = $_COOKIE['password']; } if (!isset($config['auth_mechanism'])) @@ -62,10 +64,12 @@ else $auth_success = 0; -if (isset($_SESSION['username'])) +if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token']))) { - if (authenticate($_SESSION['username'],$_SESSION['password'])) + if ((authenticate($_SESSION['username'],$_SESSION['password'])) || (reauthenticate($_COOKIE['sess_id'],$_COOKIE['token']))) { + // Regenerate session id for additional security. + session_regenerate_id(); $_SESSION['userlevel'] = get_userlevel($_SESSION['username']); $_SESSION['user_id'] = get_userid($_SESSION['username']); if (!$_SESSION['authenticated']) @@ -76,8 +80,28 @@ if (isset($_SESSION['username'])) } if (isset($_POST['remember'])) { - setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/"); - setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/"); + $sess_id = session_id(); + $hasher = new PasswordHash(8, FALSE); + $token = strgen(); + $auth = strgen(); + $hasher = new PasswordHash(8, FALSE); + $token_id = $_SESSION['username'].'|'.$hasher->HashPassword($_SESSION['username'].$token); + // If we have been asked to remember the user then set the relevant cookies and create a session in the DB. + setcookie("sess_id", $sess_id, time()+60*60*24*$config['auth_remember'], "/", null, null, true); + setcookie("token", $token_id, time()+60*60*24*$config['auth_remember'], "/", null, null, true); + setcookie("auth", $auth, time()+60*60*24*$config['auth_remember'], "/", null, null, true); + dbInsert(array('session_username' => $_SESSION['username'], 'session_value' => $sess_id, 'session_token' => $token, 'session_auth' => $auth, 'session_expiry' => time()+60*60*24*$config['auth_remember']), 'session'); + //setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/"); + //setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/"); + } + if (isset($_COOKIE['sess_id'],$_COOKIE['token'],$_COOKIE['auth'])) + { + // If we have the remember me cookies set then update session expiry times to keep us logged in. + $sess_id = session_id(); + dbUpdate(array('session_value' => $sess_id, 'session_expiry' => time()+60*60*24*$config['auth_remember']), 'session', 'session_auth=?', array($_COOKIE['auth'])); + setcookie("sess_id", $sess_id, time()+60*60*24*$config['auth_remember'], "/", null, null, true); + setcookie("token", $_COOKIE['token'], time()+60*60*24*$config['auth_remember'], "/", null, null, true); + setcookie("auth", $_COOKIE['auth'], time()+60*60*24*$config['auth_remember'], "/", null, null, true); } $permissions = permissions_cache($_SESSION['user_id']); } diff --git a/html/includes/authentication/http-auth.inc.php b/html/includes/authentication/http-auth.inc.php index e34a0dde23..9b0f511072 100644 --- a/html/includes/authentication/http-auth.inc.php +++ b/html/includes/authentication/http-auth.inc.php @@ -27,6 +27,11 @@ function authenticate($username,$password) return 0; } +function reauthenticate($sess_id = "",$token = "") +{ + return 0; +} + function passwordscanchange($username = "") { return 0; diff --git a/html/includes/authentication/ldap.inc.php b/html/includes/authentication/ldap.inc.php index 1d4e7cc20d..d640097d70 100644 --- a/html/includes/authentication/ldap.inc.php +++ b/html/includes/authentication/ldap.inc.php @@ -49,6 +49,11 @@ function authenticate($username,$password) return 0; } +function reauthenticate($sess_id,$token) +{ + return 0; +} + function passwordscanchange($username = "") { return 0; diff --git a/html/includes/authentication/mysql.inc.php b/html/includes/authentication/mysql.inc.php index a639af54d1..91cc8f1897 100644 --- a/html/includes/authentication/mysql.inc.php +++ b/html/includes/authentication/mysql.inc.php @@ -36,6 +36,22 @@ function authenticate($username,$password) return 0; } +function reauthenticate($sess_id,$token) +{ + list($uname,$hash) = explode("|",$token); + $session = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'"); + $hasher = new PasswordHash(8, FALSE); + if($hasher->CheckPassword($uname.$session['session_token'],$hash)) + { + $_SESSION['username'] = $uname; + return 1; + } + else + { + return 0; + } +} + function passwordscanchange($username = "") { /* diff --git a/includes/defaults.inc.php b/includes/defaults.inc.php index e96e505f60..f06b1137d4 100644 --- a/includes/defaults.inc.php +++ b/includes/defaults.inc.php @@ -390,6 +390,7 @@ $config['irc_chan'][] = "##" . $config['project_id']; $config['allow_unauth_graphs'] = 0; # Allow graphs to be viewed by anyone $config['allow_unauth_graphs_cidr'] = array(); # Allow graphs to be viewed without authorisation from certain IP ranges $config['auth_mechanism'] = "mysql"; # Available mechanisms: mysql (default), ldap, http-auth +$config['auth_remember'] = '30'; # This is how long in days to remember users who select remember me // LDAP Authentication diff --git a/sql-schema/029.sql b/sql-schema/029.sql new file mode 100644 index 0000000000..d6e8a57143 --- /dev/null +++ b/sql-schema/029.sql @@ -0,0 +1,2 @@ +CREATE TABLE IF NOT EXISTS `session` ( `session_id` int(11) NOT NULL AUTO_INCREMENT, `session_username` varchar(30) NOT NULL, `session_value` varchar(60) NOT NULL, `session_token` varchar(60) NOT NULL, `session_auth` varchar(16) NOT NULL, `session_expiry` int(11) NOT NULL, PRIMARY KEY (`session_id`)) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ; +