webui: remove passwords from sessions, 'remember me' works for all auth types (#4134)

* Updated to remove passwords from sessions * Remove users sessions when user deleted * Updated when cookies are set * Updated setcookies to always contain a value * Added destroy_cookies() to remove users cookies on failed login * Removed debug line * Fixed graph issues
2024-10-07 16:52:45 +00:00 · 2016-09-13 03:41:19 +01:00
parent a710c4a33c
commit deb4b74bc9
10 changed files with 55 additions and 83 deletions
--- a/html/includes/functions.inc.php
+++ b/html/includes/functions.inc.php
@@ -1332,3 +1332,16 @@ function ipmiSensorName($hardwareId, $sensorIpmi, $rewriteArray)
        return $sensorIpmi;
    }
 }
+
+function reauthenticate($sess_id, $token)
+{
+    list($uname,$hash) = explode('|', $token);
+    $session           = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'", array(), true);
+    $hasher            = new PasswordHash(8, false);
+    if ($hasher->CheckPassword($uname.$session['session_token'], $hash)) {
+        $_SESSION['username'] = $uname;
+        return 1;
+    } else {
+        return 0;
+    }
+}//end reauthenticate()