From aad6e2a9c4857715c8bd56693d21b87dd0c16263 Mon Sep 17 00:00:00 2001 From: thomascube Date: Tue, 27 Mar 2007 09:34:30 +0000 Subject: New session authentication, should fix bugs #1483951 and #1484299; testing required --- program/include/main.inc | 43 +++++++++++++++++++++++++++---------------- program/include/session.inc | 37 ++++++++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 17 deletions(-) (limited to 'program/include') diff --git a/program/include/main.inc b/program/include/main.inc index 3fe196a74..b6d995cc6 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -33,7 +33,7 @@ define('RCUBE_INPUT_GPC', 0x0103); // register session and connect to server function rcmail_startup($task='mail') { - global $sess_id, $sess_auth, $sess_user_lang; + global $sess_id, $sess_user_lang; global $CONFIG, $INSTALL_PATH, $BROWSER, $OUTPUT, $_SESSION, $IMAP, $DB, $JS_OBJECT_NAME; // check client @@ -53,9 +53,8 @@ function rcmail_startup($task='mail') $DB->sqlite_initials = $INSTALL_PATH.'SQL/sqlite.initial.sql'; $DB->db_connect('w'); - // we can use the database for storing session data - if (!$DB->is_error()) - include_once('include/session.inc'); + // use database for storing session data + include_once('include/session.inc'); // init session session_start(); @@ -65,8 +64,8 @@ function rcmail_startup($task='mail') if (!isset($_SESSION['auth_time'])) { $_SESSION['user_lang'] = rcube_language_prop($CONFIG['locale_string']); - $_SESSION['auth_time'] = mktime(); - setcookie('sessauth', rcmail_auth_hash($sess_id, $_SESSION['auth_time'])); + $_SESSION['auth_time'] = time(); + $_SESSION['temp'] = true; } // set session vars global @@ -178,17 +177,29 @@ function rcmail_auth_hash($sess_id, $ts) // compare the auth hash sent by the client with the local session credentials function rcmail_authenticate_session() { - $now = mktime(); - $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) || - $_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth'])); + global $CONFIG, $SESS_CLIENT_IP, $SESS_CHANGED; + + // advanced session authentication + if ($CONFIG['double_auth']) + { + $now = time(); + $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) || + $_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth'])); - // renew auth cookie every 5 minutes (only for GET requests) - if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300)) + // renew auth cookie every 5 minutes (only for GET requests) + if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300)) { - $_SESSION['last_auth'] = $_SESSION['auth_time']; - $_SESSION['auth_time'] = $now; - setcookie('sessauth', rcmail_auth_hash(session_id(), $now)); + $_SESSION['last_auth'] = $_SESSION['auth_time']; + $_SESSION['auth_time'] = $now; + setcookie('sessauth', rcmail_auth_hash(session_id(), $now)); } + } + else + $valid = $CONFIG['ip_check'] ? $_SERVER['REMOTE_ADDR'] == $SESS_CLIENT_IP : true; + + // check session filetime + if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time()) + $valid = false; return $valid; } @@ -275,8 +286,8 @@ function rcmail_kill_session() rcmail_save_user_prefs($a_user_prefs); } - $_SESSION = array(); - session_destroy(); + $_SESSION = array('user_lang' => $GLOBALS['sess_user_lang'], 'auth_time' => time(), 'temp' => true); + setcookie('sessauth', '-del-', time()-60); } diff --git a/program/include/session.inc b/program/include/session.inc index 6c4687e68..59631afe1 100644 --- a/program/include/session.inc +++ b/program/include/session.inc @@ -36,7 +36,10 @@ function sess_close() // read session data function sess_read($key) { - global $DB, $SESS_CHANGED; + global $DB, $SESS_CHANGED, $SESS_CLIENT_IP; + + if ($DB->is_error()) + return FALSE; $sql_result = $DB->query("SELECT vars, ip, ".$DB->unixtimestamp('changed')." AS changed FROM ".get_table_name('session')." @@ -46,6 +49,7 @@ function sess_read($key) if ($sql_arr = $DB->fetch_assoc($sql_result)) { $SESS_CHANGED = $sql_arr['changed']; + $SESS_CLIENT_IP = $sql_arr['ip']; if (strlen($sql_arr['vars'])) return $sql_arr['vars']; @@ -59,6 +63,9 @@ function sess_read($key) function sess_write($key, $vars) { global $DB; + + if ($DB->is_error()) + return FALSE; $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('session')." @@ -96,6 +103,9 @@ function sess_destroy($key) { global $DB; + if ($DB->is_error()) + return FALSE; + // delete session entries in cache table $DB->query("DELETE FROM ".get_table_name('cache')." WHERE session_id=?", @@ -114,6 +124,9 @@ function sess_gc($maxlifetime) { global $DB; + if ($DB->is_error()) + return FALSE; + // get all expired sessions $sql_result = $DB->query("SELECT sess_id FROM ".get_table_name('session')." @@ -144,6 +157,28 @@ function sess_gc($maxlifetime) } +function sess_regenerate_id() + { + $randlen = 32; + $randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; + $random = ""; + for ($i=1; $i <= $randlen; $i++) + $random .= substr($randval, rand(0,(strlen($randval) - 1)), 1); + + // use md5 value for id or remove capitals from string $randval + $random = md5($random); + + // delete old session record + sess_destroy(session_id()); + + session_id($random); + $cookie = session_get_cookie_params(); + setcookie(session_name(), $random, $cookie['lifetime'], $cookie['path']); + + return true; + } + + // set custom functions for PHP session management session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy', 'sess_gc'); -- cgit v1.2.3