diff options
| author | thomascube <thomas@roundcube.net> | 2012-04-30 21:04:53 +0000 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2012-05-08 12:05:27 +0200 |
| commit | 9e8d8e4a06fda84d0c1c295890478daee3a67dd2 (patch) | |
| tree | 91ae2cc341fed9402c2b1b8bd68c7c897d212ec7 | |
| parent | f5a262f0f020908a7b93ce24572ff35ac5df4c10 (diff) | |
Accept two past time slots for auth cookie validation; don't encode user-agent into session auth hash (#1488449)
Conflicts:
program/include/rcube.php
| -rw-r--r-- | program/include/rcmail.php | 2 | ||||
| -rw-r--r-- | program/include/rcube_session.php | 25 |
2 files changed, 16 insertions, 11 deletions
diff --git a/program/include/rcmail.php b/program/include/rcmail.php index eec3dd27f..8988bdc13 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -802,7 +802,7 @@ class rcmail $this->session->set_keep_alive($keep_alive); } - $this->session->set_secret($this->config->get('des_key') . $_SERVER['HTTP_USER_AGENT']); + $this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME'])); $this->session->set_ip_check($this->config->get('ip_check')); } diff --git a/program/include/rcube_session.php b/program/include/rcube_session.php index e6e636e18..53042b3bf 100644 --- a/program/include/rcube_session.php +++ b/program/include/rcube_session.php @@ -43,7 +43,6 @@ class rcube_session private $vars = false; private $key; private $now; - private $prev; private $secret = ''; private $ip_check = false; private $logging = false; @@ -518,7 +517,6 @@ class rcube_session // valid time range is now - 1/2 lifetime to now + 1/2 lifetime $now = time(); $this->now = $now - ($now % ($this->lifetime / 2)); - $this->prev = $this->now - ($this->lifetime / 2); } /** @@ -589,15 +587,22 @@ class rcube_session $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . $_SERVER['REMOTE_ADDR']); if ($result && $this->_mkcookie($this->now) != $this->cookie) { - // Check if using id from previous time slot - if ($this->_mkcookie($this->prev) == $this->cookie) { - $this->set_auth_cookie(); - } - else { - $result = false; - $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent"); + $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now)); + $result = false; + + // Check if using id from a previous time slot + for ($i = 1; $i <= 2; $i++) { + $prev = $this->now - ($this->lifetime / 2) * $i; + if ($this->_mkcookie($prev) == $this->cookie) { + $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie); + $this->set_auth_cookie(); + $result = true; + } } - } + } + + if (!$result) + $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev)); return $result; } |