mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated session / cookie support

Browse Source
This commit is contained in:
laf
2014-02-03 22:32:45 +00:00
parent 04a9f4a2f3
commit 005504ae6d
6 changed files with 67 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
html/includes/authenticate.inc.php
View File

@ -1,6 +1,8 @@
<?php <?php
@ini_set("session.gc_maxlifetime","0"); @ini_set("session.gc_maxlifetime","0");
@ini_set('session.use_only_cookies', 1);
@ini_set('session.cookie_httponly', 1);
require('includes/PasswordHash.php'); require('includes/PasswordHash.php');
session_start(); session_start();
@ -21,28 +23,28 @@ if (!is_writable($config['temp_dir']))
echo("<div class='errorbox'>Temp Directory is not writable ({$config['tmp_dir']}). Graphing may fail.</div>"); echo("<div class='errorbox'>Temp Directory is not writable ({$config['tmp_dir']}). Graphing may fail.</div>");
} }
// Clear up any old sessions
dbDelete('session', "`session_expiry` < ?", array(time()));
if ($vars['page'] == "logout" && $_SESSION['authenticated']) if ($vars['page'] == "logout" && $_SESSION['authenticated'])
{ {
dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged Out'), 'authlog'); dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'Logged Out'), 'authlog');
dbDelete('session', "`session_username` = ? AND session_value = ?", array($_SESSION['username'],$_COOKIE['sess_id']));
unset($_SESSION); unset($_SESSION);
unset($_COOKIE);
setcookie ("sess_id", "", time() - 60*60*24*$config['auth_remember'], "/");
setcookie ("token", "", time() - 60*60*24*$config['auth_remember'], "/");
setcookie ("auth", "", time() - 60*60*24*$config['auth_remember'], "/");
session_destroy(); session_destroy();
setcookie ("username", "", time() - 60*60*24*100, "/");
setcookie ("password", "", time() - 60*60*24*100, "/");
$auth_message = "Logged Out"; $auth_message = "Logged Out";
header('Location: /'); header('Location: /');
exit; exit;
} }
if (isset($_GET['username']) && isset($_GET['password'])) // We are only interested in login details passed via POST.
{ if (isset($_POST['username']) && isset($_POST['password'])) {
$_SESSION['username'] = mres($_GET['username']);
$_SESSION['password'] = $_GET['password'];
} elseif (isset($_POST['username']) && isset($_POST['password'])) {
$_SESSION['username'] = mres($_POST['username']); $_SESSION['username'] = mres($_POST['username']);
$_SESSION['password'] = $_POST['password']; $_SESSION['password'] = $_POST['password'];
} elseif (isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
$_SESSION['username'] = mres($_COOKIE['username']);
$_SESSION['password'] = $_COOKIE['password'];
} }
if (!isset($config['auth_mechanism'])) if (!isset($config['auth_mechanism']))
@ -62,10 +64,12 @@ else
$auth_success = 0; $auth_success = 0;
if (isset($_SESSION['username'])) if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token'])))
{ {
if (authenticate($_SESSION['username'],$_SESSION['password'])) if ((authenticate($_SESSION['username'],$_SESSION['password'])) || (reauthenticate($_COOKIE['sess_id'],$_COOKIE['token'])))
{ {
// Regenerate session id for additional security.
session_regenerate_id();
$_SESSION['userlevel'] = get_userlevel($_SESSION['username']); $_SESSION['userlevel'] = get_userlevel($_SESSION['username']);
$_SESSION['user_id'] = get_userid($_SESSION['username']); $_SESSION['user_id'] = get_userid($_SESSION['username']);
if (!$_SESSION['authenticated']) if (!$_SESSION['authenticated'])
@ -76,8 +80,28 @@ if (isset($_SESSION['username']))
} }
if (isset($_POST['remember'])) if (isset($_POST['remember']))
{ {
setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/"); $sess_id = session_id();
setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/"); $hasher = new PasswordHash(8, FALSE);
$token = strgen();
$auth = strgen();
$hasher = new PasswordHash(8, FALSE);
$token_id = $_SESSION['username'].'|'.$hasher->HashPassword($_SESSION['username'].$token);
// If we have been asked to remember the user then set the relevant cookies and create a session in the DB.
setcookie("sess_id", $sess_id, time()+60*60*24*$config['auth_remember'], "/", null, null, true);
setcookie("token", $token_id, time()+60*60*24*$config['auth_remember'], "/", null, null, true);
setcookie("auth", $auth, time()+60*60*24*$config['auth_remember'], "/", null, null, true);
dbInsert(array('session_username' => $_SESSION['username'], 'session_value' => $sess_id, 'session_token' => $token, 'session_auth' => $auth, 'session_expiry' => time()+60*60*24*$config['auth_remember']), 'session');
//setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/");
//setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/");
}
if (isset($_COOKIE['sess_id'],$_COOKIE['token'],$_COOKIE['auth']))
{
// If we have the remember me cookies set then update session expiry times to keep us logged in.
$sess_id = session_id();
dbUpdate(array('session_value' => $sess_id, 'session_expiry' => time()+60*60*24*$config['auth_remember']), 'session', 'session_auth=?', array($_COOKIE['auth']));
setcookie("sess_id", $sess_id, time()+60*60*24*$config['auth_remember'], "/", null, null, true);
setcookie("token", $_COOKIE['token'], time()+60*60*24*$config['auth_remember'], "/", null, null, true);
setcookie("auth", $_COOKIE['auth'], time()+60*60*24*$config['auth_remember'], "/", null, null, true);
} }
$permissions = permissions_cache($_SESSION['user_id']); $permissions = permissions_cache($_SESSION['user_id']);
} }

5
html/includes/authentication/http-auth.inc.php
View File

@ -27,6 +27,11 @@ function authenticate($username,$password)
return 0; return 0;
} }
function reauthenticate($sess_id = "",$token = "")
{
return 0;
}
function passwordscanchange($username = "") function passwordscanchange($username = "")
{ {
return 0; return 0;

5
html/includes/authentication/ldap.inc.php
View File

@ -49,6 +49,11 @@ function authenticate($username,$password)
return 0; return 0;
} }
function reauthenticate($sess_id,$token)
{
return 0;
}
function passwordscanchange($username = "") function passwordscanchange($username = "")
{ {
return 0; return 0;

16
html/includes/authentication/mysql.inc.php
View File

@ -36,6 +36,22 @@ function authenticate($username,$password)
return 0; return 0;
} }
function reauthenticate($sess_id,$token)
{
list($uname,$hash) = explode("|",$token);
$session = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'");
$hasher = new PasswordHash(8, FALSE);
if($hasher->CheckPassword($uname.$session['session_token'],$hash))
{
$_SESSION['username'] = $uname;
return 1;
}
else
{
return 0;
}
}
function passwordscanchange($username = "") function passwordscanchange($username = "")
{ {
/* /*

1
includes/defaults.inc.php
View File

@ -390,6 +390,7 @@ $config['irc_chan'][] = "##" . $config['project_id'];
$config['allow_unauth_graphs'] = 0; # Allow graphs to be viewed by anyone $config['allow_unauth_graphs'] = 0; # Allow graphs to be viewed by anyone
$config['allow_unauth_graphs_cidr'] = array(); # Allow graphs to be viewed without authorisation from certain IP ranges $config['allow_unauth_graphs_cidr'] = array(); # Allow graphs to be viewed without authorisation from certain IP ranges
$config['auth_mechanism'] = "mysql"; # Available mechanisms: mysql (default), ldap, http-auth $config['auth_mechanism'] = "mysql"; # Available mechanisms: mysql (default), ldap, http-auth
$config['auth_remember'] = '30'; # This is how long in days to remember users who select remember me
// LDAP Authentication // LDAP Authentication

2
sql-schema/029.sql Normal file
View File

@ -0,0 +1,2 @@
CREATE TABLE IF NOT EXISTS `session` ( `session_id` int(11) NOT NULL AUTO_INCREMENT, `session_username` varchar(30) NOT NULL, `session_value` varchar(60) NOT NULL, `session_token` varchar(60) NOT NULL, `session_auth` varchar(16) NOT NULL, `session_expiry` int(11) NOT NULL, PRIMARY KEY (`session_id`)) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;