harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions).

Browse Source
This commit is contained in:
redmatrix 2016-04-10 19:20:41 -07:00
parent 0fe4957274
commit d1a2aecfa0
2 changed files with 59 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Zotlabs/Web/Session.php
View File

@ -68,8 +68,6 @@ class Session {
} }
} }
function new_cookie($xtime) { function new_cookie($xtime) {
$newxtime = (($xtime> 0) ? (time() + $xtime) : 0); $newxtime = (($xtime> 0) ? (time() + $xtime) : 0);
@ -94,5 +92,62 @@ class Session {
} }
function extend_cookie() {
// if there's a long-term cookie, extend it
if(intval($_SESSION['remember_me']))
setcookie(session_name(),session_id(),(time() + (60 * 60 * 24 * 365)));
}
function return_check() {
// check a returning visitor against IP changes.
// If the change results in being blocked from re-entry with the current cookie
// nuke the session and logout.
// Returning at all indicates the session is still valid.
// first check if we're enforcing that sessions can't change IP address
// @todo what to do with IPv6 addresses
if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
$partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
$partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));
if(! $paranoia)
$paranoia = intval(get_config('system', 'paranoia'));
switch($paranoia) {
case 0:
// no IP checking
break;
case 2:
// check 2 octets
$partial1 = substr($partial1, 0, strrpos($partial1, '.'));
$partial2 = substr($partial2, 0, strrpos($partial2, '.'));
if($partial1 == $partial2)
break;
case 1:
// check 3 octets
if($partial1 == $partial2)
break;
case 3:
default:
// check any difference at all
logger('Session address changed. Paranoid setting in effect, blocking session. '
. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
self::nuke();
goaway(z_root());
break;
}
}
return true;
}
} }

38
include/auth.php
View File

@ -141,42 +141,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) { if(x($_SESSION, 'uid') || x($_SESSION, 'account_id')) {
// first check if we're enforcing that sessions can't change IP address Zotlabs\Web\Session::return_check();
// @todo what to do with IPv6 addresses
if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) {
logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
$partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.'));
$partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.'));
$paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia'));
if(! $paranoia)
$paranoia = intval(get_config('system', 'paranoia'));
switch($paranoia) {
case 0:
// no IP checking
break;
case 2:
// check 2 octets
$partial1 = substr($partial1, 0, strrpos($partial1, '.'));
$partial2 = substr($partial2, 0, strrpos($partial2, '.'));
if($partial1 == $partial2)
break;
case 1:
// check 3 octets
if($partial1 == $partial2)
break;
case 3:
default:
// check any difference at all
logger('Session address changed. Paranoid setting in effect, blocking session. '
. $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
\Zotlabs\Web\Session::nuke();
goaway(z_root());
break;
}
}
$r = q("select * from account where account_id = %d limit 1", $r = q("select * from account where account_id = %d limit 1",
intval($_SESSION['account_id']) intval($_SESSION['account_id'])
@ -190,6 +155,7 @@ if((isset($_SESSION)) && (x($_SESSION, 'authenticated')) &&
} }
if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) { if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) {
$_SESSION['last_login_date'] = datetime_convert(); $_SESSION['last_login_date'] = datetime_convert();
Zotlabs\Web\Session::extend_cookie();
$login_refresh = true; $login_refresh = true;
} }
authenticate_success($r[0], false, false, false, $login_refresh); authenticate_success($r[0], false, false, false, $login_refresh);