summaryrefslogtreecommitdiff
path: root/program/include
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2012-04-30 21:04:53 +0000
committerthomascube <thomas@roundcube.net>2012-04-30 21:04:53 +0000
commit58154f59fc16322598e3a01937fbffdb97cdf62b (patch)
tree83ca652a98fc34dfad5e743214d90f5005e3f3bf /program/include
parentf81e06065f38a2040e41cc3b066575939c8c6747 (diff)
Accept two past time slots for auth cookie validation; don't encode user-agent into session auth hash (#1488449)
Diffstat (limited to 'program/include')
-rw-r--r--program/include/rcube.php2
-rw-r--r--program/include/rcube_session.php25
2 files changed, 16 insertions, 11 deletions
diff --git a/program/include/rcube.php b/program/include/rcube.php
index 55dc4ee77..8bd9b76be 100644
--- a/program/include/rcube.php
+++ b/program/include/rcube.php
@@ -476,7 +476,7 @@ class rcube
$this->session->set_keep_alive($keep_alive);
}
- $this->session->set_secret($this->config->get('des_key') . $_SERVER['HTTP_USER_AGENT']);
+ $this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME']));
$this->session->set_ip_check($this->config->get('ip_check'));
}
diff --git a/program/include/rcube_session.php b/program/include/rcube_session.php
index 6f7d90bd4..e024b0e90 100644
--- a/program/include/rcube_session.php
+++ b/program/include/rcube_session.php
@@ -43,7 +43,6 @@ class rcube_session
private $vars = false;
private $key;
private $now;
- private $prev;
private $secret = '';
private $ip_check = false;
private $logging = false;
@@ -519,7 +518,6 @@ class rcube_session
// valid time range is now - 1/2 lifetime to now + 1/2 lifetime
$now = time();
$this->now = $now - ($now % ($this->lifetime / 2));
- $this->prev = $this->now - ($this->lifetime / 2);
}
/**
@@ -590,15 +588,22 @@ class rcube_session
$this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . $_SERVER['REMOTE_ADDR']);
if ($result && $this->_mkcookie($this->now) != $this->cookie) {
- // Check if using id from previous time slot
- if ($this->_mkcookie($this->prev) == $this->cookie) {
- $this->set_auth_cookie();
- }
- else {
- $result = false;
- $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent");
+ $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now));
+ $result = false;
+
+ // Check if using id from a previous time slot
+ for ($i = 1; $i <= 2; $i++) {
+ $prev = $this->now - ($this->lifetime / 2) * $i;
+ if ($this->_mkcookie($prev) == $this->cookie) {
+ $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie);
+ $this->set_auth_cookie();
+ $result = true;
+ }
}
- }
+ }
+
+ if (!$result)
+ $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev));
return $result;
}