New session authentication, should fix bugs #1483951 and #1484299; testing required

2 files changed, 63 insertions, 17 deletions

diff --git a/program/include/main.inc b/program/include/main.inc
index 3fe196a74..b6d995cc6 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -33,7 +33,7 @@ define('RCUBE_INPUT_GPC', 0x0103);
 // register session and connect to server
 function rcmail_startup($task='mail')
   {
-  global $sess_id, $sess_auth, $sess_user_lang;
+  global $sess_id, $sess_user_lang;
   global $CONFIG, $INSTALL_PATH, $BROWSER, $OUTPUT, $_SESSION, $IMAP, $DB, $JS_OBJECT_NAME;
 
   // check client
@@ -53,9 +53,8 @@ function rcmail_startup($task='mail')
   $DB->sqlite_initials = $INSTALL_PATH.'SQL/sqlite.initial.sql';
   $DB->db_connect('w');
 
-  // we can use the database for storing session data
-  if (!$DB->is_error())
-    include_once('include/session.inc');
+  // use database for storing session data
+  include_once('include/session.inc');
 
   // init session
   session_start();
@@ -65,8 +64,8 @@ function rcmail_startup($task='mail')
   if (!isset($_SESSION['auth_time']))
     {
     $_SESSION['user_lang'] = rcube_language_prop($CONFIG['locale_string']);
-    $_SESSION['auth_time'] = mktime();
-    setcookie('sessauth', rcmail_auth_hash($sess_id, $_SESSION['auth_time']));
+    $_SESSION['auth_time'] = time();
+    $_SESSION['temp'] = true;
     }
 
   // set session vars global
@@ -178,17 +177,29 @@ function rcmail_auth_hash($sess_id, $ts)
 // compare the auth hash sent by the client with the local session credentials
 function rcmail_authenticate_session()
   {
-  $now = mktime();
-  $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) ||
-						$_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth']));
+  global $CONFIG, $SESS_CLIENT_IP, $SESS_CHANGED;
+  
+  // advanced session authentication
+  if ($CONFIG['double_auth'])
+  {
+    $now = time();
+    $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) ||
+              $_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth']));
 
-  // renew auth cookie every 5 minutes (only for GET requests)
-  if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300))
+    // renew auth cookie every 5 minutes (only for GET requests)
+    if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300))
     {
-    $_SESSION['last_auth'] = $_SESSION['auth_time'];
-    $_SESSION['auth_time'] = $now;
-    setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
+      $_SESSION['last_auth'] = $_SESSION['auth_time'];
+      $_SESSION['auth_time'] = $now;
+      setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
     }
+  }
+  else
+    $valid = $CONFIG['ip_check'] ? $_SERVER['REMOTE_ADDR'] == $SESS_CLIENT_IP : true;
+  
+  // check session filetime
+  if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time())
+    $valid = false;
 
   return $valid;
   }
@@ -275,8 +286,8 @@ function rcmail_kill_session()
     rcmail_save_user_prefs($a_user_prefs);
     }
 
-  $_SESSION = array();
-  session_destroy();
+  $_SESSION = array('user_lang' => $GLOBALS['sess_user_lang'], 'auth_time' => time(), 'temp' => true);
+  setcookie('sessauth', '-del-', time()-60);
   }
 
 
diff --git a/program/include/session.inc b/program/include/session.inc
index 6c4687e68..59631afe1 100644
--- a/program/include/session.inc
+++ b/program/include/session.inc
@@ -36,7 +36,10 @@ function sess_close()
 // read session data
 function sess_read($key)
   {
-  global $DB, $SESS_CHANGED;
+  global $DB, $SESS_CHANGED, $SESS_CLIENT_IP;
+  
+  if ($DB->is_error())
+    return FALSE;
   
   $sql_result = $DB->query("SELECT vars, ip, ".$DB->unixtimestamp('changed')." AS changed
                             FROM ".get_table_name('session')."
@@ -46,6 +49,7 @@ function sess_read($key)
   if ($sql_arr = $DB->fetch_assoc($sql_result))
     {
     $SESS_CHANGED = $sql_arr['changed'];
+    $SESS_CLIENT_IP = $sql_arr['ip'];
 
     if (strlen($sql_arr['vars']))
       return $sql_arr['vars'];
@@ -59,6 +63,9 @@ function sess_read($key)
 function sess_write($key, $vars)
   {
   global $DB;
+  
+  if ($DB->is_error())
+    return FALSE;
 
   $sql_result = $DB->query("SELECT 1
                             FROM ".get_table_name('session')."
@@ -96,6 +103,9 @@ function sess_destroy($key)
   {
   global $DB;
   
+  if ($DB->is_error())
+    return FALSE;
+  
   // delete session entries in cache table
   $DB->query("DELETE FROM ".get_table_name('cache')."
               WHERE  session_id=?",
@@ -114,6 +124,9 @@ function sess_gc($maxlifetime)
   {
   global $DB;
 
+  if ($DB->is_error())
+    return FALSE;
+
   // get all expired sessions  
   $sql_result = $DB->query("SELECT sess_id
                             FROM ".get_table_name('session')."
@@ -144,6 +157,28 @@ function sess_gc($maxlifetime)
   }
 
 
+function sess_regenerate_id()
+  {
+  $randlen = 32;
+  $randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  $random = "";
+  for ($i=1; $i <= $randlen; $i++)
+    $random .= substr($randval, rand(0,(strlen($randval) - 1)), 1);
+
+  // use md5 value for id or remove capitals from string $randval
+  $random = md5($random);
+
+  // delete old session record
+  sess_destroy(session_id());
+
+  session_id($random);
+  $cookie = session_get_cookie_params();
+  setcookie(session_name(), $random, $cookie['lifetime'], $cookie['path']);
+
+  return true;
+  }
+
+
 // set custom functions for PHP session management
 session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy', 'sess_gc');