webui: remove passwords from sessions, 'remember me' works for all auth types (#4134)

* Updated to remove passwords from sessions

* Remove users sessions when user deleted

* Updated when cookies are set

* Updated setcookies to always contain a value

* Added destroy_cookies() to remove users cookies on failed login

* Removed debug line

* Fixed graph issues

html/includes/authenticate.inc.php

@@ -21,15 +21,11 @@ if (!is_writable($config['temp_dir'])) {
 // Clear up any old sessions
 dbDelete('session', '`session_expiry` <  ?', array(time()));
 
-if ($vars['page'] == 'logout' && $_SESSION['authenticated']) {
+if ($vars['page'] == 'logout') {
     dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Logged Out'), 'authlog');
-    dbDelete('session', '`session_username` =  ? AND session_value = ?', array($_SESSION['username'], $_COOKIE['sess_id']));
+    destroy_cookies();
     unset($_SESSION);
     unset($_COOKIE);
-    setcookie('sess_id', '', (time() - 60 * 60 * 24 * $config['auth_remember']), '/');
-    setcookie('token', '', (time() - 60 * 60 * 24 * $config['auth_remember']), '/');
-    setcookie('auth', '', (time() - 60 * 60 * 24 * $config['auth_remember']), '/');
-    session_destroy();
     $auth_message = 'Logged Out';
     header('Location: ' . $config['base_url']);
     exit;
@@ -38,10 +34,10 @@ if ($vars['page'] == 'logout' && $_SESSION['authenticated']) {
 // We are only interested in login details passed via POST.
 if (isset($_POST['username']) && isset($_POST['password'])) {
     $_SESSION['username'] = mres($_POST['username']);
-    $_SESSION['password'] = $_POST['password'];
+    $_tmp_password = $_POST['password'];
 } elseif (isset($_GET['username']) && isset($_GET['password'])) {
     $_SESSION['username'] = mres($_GET['username']);
-    $_SESSION['password'] = $_GET['password'];
+    $_tmp_password = $_GET['password'];
 }
 
 if (!isset($config['auth_mechanism'])) {
@@ -57,10 +53,11 @@ if (file_exists('includes/authentication/'.$config['auth_mechanism'].'.inc.php')
 
 $auth_success = 0;
 
-if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token']))) {
+if ((isset($_SESSION['username'], $_tmp_password)) || (isset($_COOKIE['sess_id'],$_COOKIE['token']))) {
-    if (reauthenticate($_COOKIE['sess_id'], $_COOKIE['token']) || authenticate($_SESSION['username'], $_SESSION['password'])) {
+    if (reauthenticate($_COOKIE['sess_id'], $_COOKIE['token']) || authenticate($_SESSION['username'], $_tmp_password)) {
         $_SESSION['userlevel'] = get_userlevel($_SESSION['username']);
         $_SESSION['user_id']   = get_userid($_SESSION['username']);
+        $sess_id  = session_id();
         if (!$_SESSION['authenticated']) {
             if ($config['twofactor'] === true && !isset($_SESSION['twofactor'])) {
                 include_once $config['install_dir'].'/html/includes/authentication/twofactor.lib.php';
@@ -74,26 +71,29 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
         }
 
         if (isset($_POST['remember'])) {
-            $sess_id  = session_id();
+            $session_time = time() + (60 * 60 * 24 * $config['auth_remember']);
-            $hasher   = new PasswordHash(8, false);
+        } else {
+            $session_time = time() + 60 * 60 * 24;
+        }
+
+        if (isset($_tmp_password)) {
             $token    = strgen();
             $auth     = strgen();
             $hasher   = new PasswordHash(8, false);
             $token_id = $_SESSION['username'].'|'.$hasher->HashPassword($_SESSION['username'].$token);
-            // If we have been asked to remember the user then set the relevant cookies and create a session in the DB.
+        } else {
-            setcookie('sess_id', $sess_id, (time() + 60 * 60 * 24 * $config['auth_remember']), '/', null, false, true);
+            $auth     = $_COOKIE['auth'];
-            setcookie('token', $token_id, (time() + 60 * 60 * 24 * $config['auth_remember']), '/', null, false, true);
+            $token_id = $_COOKIE['token'];
-            setcookie('auth', $auth, (time() + 60 * 60 * 24 * $config['auth_remember']), '/', null, false, true);
-            dbInsert(array('session_username' => $_SESSION['username'], 'session_value' => $sess_id, 'session_token' => $token, 'session_auth' => $auth, 'session_expiry' => time() + 60 * 60 * 24 * $config['auth_remember']), 'session');
         }
        
-        if (isset($_COOKIE['sess_id'],$_COOKIE['token'],$_COOKIE['auth'])) {
+        setcookie('sess_id', $sess_id, $session_time, '/', null, false, true);
-            // If we have the remember me cookies set then update session expiry times to keep us logged in.
+        setcookie('auth', $auth, $session_time, '/', null, false, true);
-            $sess_id = session_id();
+        setcookie('token', $token_id, $session_time, '/', null, false, true);
-            dbUpdate(array('session_value' => $sess_id, 'session_expiry' => time() + 60 * 60 * 24 * $config['auth_remember']), 'session', 'session_auth=?', array($_COOKIE['auth']));
+
-            setcookie('sess_id', $sess_id, (time() + 60 * 60 * 24 * $config['auth_remember']), '/', null, false, true);
+        if (isset($_tmp_password)) {
-            setcookie('token', $_COOKIE['token'], (time() + 60 * 60 * 24 * $config['auth_remember']), '/', null, false, true);
+            dbInsert(array('session_username' => $_SESSION['username'], 'session_value' => $sess_id, 'session_token' => $token, 'session_auth' => $auth, 'session_expiry' => $session_time), 'session');
-            setcookie('auth', $_COOKIE['auth'], (time() + 60 * 60 * 24 * $config['auth_remember']), '/', null, false, true);
+        } else {
+            dbUpdate(array('session_value' => $sess_id, 'session_expiry' => $session_time), 'session', 'session_auth=?', array($_COOKIE['auth']));
         }
 
         $permissions = permissions_cache($_SESSION['user_id']);
@@ -112,3 +112,16 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
         dbInsert(array('user' => $_SESSION['username'], 'address' => get_client_ip(), 'result' => 'Authentication Failure'), 'authlog');
     }
 }
+
+/**
+ * Destroys users cookies
+ */
+function destroy_cookies()
+{
+    global $config;
+    dbDelete('session', '`session_username` =  ? AND session_value = ?', array($_SESSION['username'], $_COOKIE['sess_id']));
+    setcookie('sess_id', '', (time() - 60 * 60 * 24 * $config['auth_remember']), '/');
+    setcookie('token', '', (time() - 60 * 60 * 24 * $config['auth_remember']), '/');
+    setcookie('auth', '', (time() - 60 * 60 * 24 * $config['auth_remember']), '/');
+    session_destroy();
+}

html/includes/authentication/active_directory.inc.php

@@ -75,13 +75,6 @@ function authenticate($username, $password)
     return 0;
 }
 
-function reauthenticate()
-{
-    // not supported so return 0
-    return 0;
-}
-
-
 function passwordscanchange()
 {
     // not supported so return 0
@@ -203,6 +196,7 @@ function deluser($username)
     dbDelete('ports_perms', '`user_name` =  ?', array($username));
     dbDelete('users_prefs', '`user_name` =  ?', array($username));
     dbDelete('users', '`user_name` =  ?', array($username));
+    dbDelete('session', '`session_username` =  ?', array($username));
     return dbDelete('users', '`username` =  ?', array($username));
 }
 

html/includes/authentication/ad-authorization.inc.php

@@ -53,14 +53,6 @@ function authenticate($username, $password)
     return 0;
 }
 
-
-function reauthenticate()
-{
-    // not supported so return 0
-    return 0;
-}
-
-
 function passwordscanchange()
 {
     // not supported so return 0
@@ -204,6 +196,7 @@ function deluser($username)
     dbDelete('ports_perms', '`user_name` =  ?', array($username));
     dbDelete('users_prefs', '`user_name` =  ?', array($username));
     dbDelete('users', '`user_name` =  ?', array($username));
+    dbDelete('session', '`session_username` =  ?', array($username));
     return dbDelete('users', '`username` =  ?', array($username));
 }
 

html/includes/authentication/http-auth.inc.php

@@ -23,13 +23,6 @@ function authenticate($username, $password)
     return 0;
 }
 
-
-function reauthenticate($sess_id = '', $token = '')
-{
-    return 0;
-}
-
-
 function passwordscanchange($username = '')
 {
     return 0;

html/includes/authentication/ldap-authorization.inc.php

@@ -81,14 +81,6 @@ function authenticate($username, $password)
     return 0;
 }
 
-
-function reauthenticate($sess_id = '', $token = '')
-{
-    // Not supported
-    return 0;
-}
-
-
 function passwordscanchange($username = '')
 {
     // Not supported

html/includes/authentication/ldap.inc.php

@@ -47,13 +47,6 @@ function authenticate($username, $password)
     return 0;
 }
 
-
-function reauthenticate($sess_id, $token)
-{
-    return 0;
-}
-
-
 function passwordscanchange($username = '')
 {
     return 0;

html/includes/authentication/mysql.inc.php

@@ -32,21 +32,6 @@ function authenticate($username, $password)
     return 0;
 }//end authenticate()
 
-
-function reauthenticate($sess_id, $token)
-{
-    list($uname,$hash) = explode('|', $token);
-    $session           = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'", array(), true);
-    $hasher            = new PasswordHash(8, false);
-    if ($hasher->CheckPassword($uname.$session['session_token'], $hash)) {
-        $_SESSION['username'] = $uname;
-        return 1;
-    } else {
-        return 0;
-    }
-}//end reauthenticate()
-
-
 function passwordscanchange($username = '')
 {
     /*
@@ -143,7 +128,7 @@ function deluser($username)
     dbDelete('ports_perms', '`user_name` =  ?', array($username));
     dbDelete('users_prefs', '`user_name` =  ?', array($username));
     dbDelete('users', '`user_name` =  ?', array($username));
-
+    dbDelete('session', '`session_username` =  ?', array($username));
     return dbDelete('users', '`username` =  ?', array($username));
 }//end deluser()
 

html/includes/authentication/radius.inc.php

@@ -24,12 +24,6 @@ function authenticate($username, $password)
     }
 }
 
-function reauthenticate()
-{
-    return 0;
-}
-
-
 function passwordscanchange()
 {
     // not supported so return 0
@@ -100,6 +94,7 @@ function deluser($username)
     dbDelete('ports_perms', '`user_name` =  ?', array($username));
     dbDelete('users_prefs', '`user_name` =  ?', array($username));
     dbDelete('users', '`user_name` =  ?', array($username));
+    dbDelete('session', '`session_username` =  ?', array($username));
     return dbDelete('users', '`username` =  ?', array($username));
 }
 

html/includes/functions.inc.php

@@ -1332,3 +1332,16 @@ function ipmiSensorName($hardwareId, $sensorIpmi, $rewriteArray)
         return $sensorIpmi;
     }
 }
+
+function reauthenticate($sess_id, $token)
+{
+    list($uname,$hash) = explode('|', $token);
+    $session           = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'", array(), true);
+    $hasher            = new PasswordHash(8, false);
+    if ($hasher->CheckPassword($uname.$session['session_token'], $hash)) {
+        $_SESSION['username'] = $uname;
+        return 1;
+    } else {
+        return 0;
+    }
+}//end reauthenticate()

sql-schema/133.sql

@@ -0,0 +1 @@
+ALTER TABLE `session` ADD UNIQUE(`session_value`);