keith/friendica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix "remember me" cookie for OpenID logins

Browse source 
Closes #2432

NOTE: in order to obtain the same "cookie hash" it was required
to include unneeded fields in the user record structure, this would
be good to change in the future...
This commit is contained in:
Sandro Santilli 2017-03-12 01:11:35 +01:00
parent 3f6fd8ee69
commit df6304cc42
3 changed files with 57 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
include/auth.php
View file

@ -125,6 +125,7 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
$openid = new LightOpenID; $openid = new LightOpenID;
$openid->identity = $openid_url; $openid->identity = $openid_url;
$_SESSION['openid'] = $openid_url; $_SESSION['openid'] = $openid_url;
$_SESSION['remember'] = $_POST['remember'];
$openid->returnUrl = App::get_baseurl(true).'/openid'; $openid->returnUrl = App::get_baseurl(true).'/openid';
goaway($openid->authUrl()); goaway($openid->authUrl());
} catch (Exception $e) { } catch (Exception $e) {
@ -178,17 +179,8 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
goaway(z_root()); goaway(z_root());
} }
// If the user specified to remember the authentication, then set a cookie
// that expires after one week (the default is when the browser is closed).
// The cookie will be renewed automatically.
// The week ensures that sessions will expire after some inactivity.
if ($_POST['remember'])
new_cookie(604800, $r[0]);
else
new_cookie(0); // 0 means delete on browser exit
// if we haven't failed up this point, log them in. // if we haven't failed up this point, log them in.
$_SESSION['remember'] = $_POST['remember'];
$_SESSION['last_login_date'] = datetime_convert('UTC','UTC'); $_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
authenticate_success($record, true, true); authenticate_success($record, true, true);
} }
@ -203,39 +195,3 @@ function nuke_session() {
session_unset(); session_unset();
session_destroy(); session_destroy();
} }
/**
* @brief Calculate the hash that is needed for the "Friendica" cookie
*
* @param array $user Record from "user" table
*
* @return string Hashed data
*/
function cookie_hash($user) {
return(hash("sha256", get_config("system", "site_prvkey").
$user["uprvkey"].
$user["password"]));
}
/**
* @brief Set the "Friendica" cookie
*
* @param int $time
* @param array $user Record from "user" table
*/
function new_cookie($time, $user = array()) {
if ($time != 0)
$time = $time + time();
if ($user)
$value = json_encode(array("uid" => $user["uid"],
"hash" => cookie_hash($user),
"ip" => $_SERVER['REMOTE_ADDR']));
else
$value = "";
setcookie("Friendica", $value, $time, "/", "",
(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);
}

54
include/security.php
View file

@ -1,5 +1,41 @@
<?php <?php
/**
* @brief Calculate the hash that is needed for the "Friendica" cookie
*
* @param array $user Record from "user" table
*
* @return string Hashed data
*/
function cookie_hash($user) {
return(hash("sha256", get_config("system", "site_prvkey").
$user["uprvkey"].
$user["password"]));
}
/**
* @brief Set the "Friendica" cookie
*
* @param int $time
* @param array $user Record from "user" table
*/
function new_cookie($time, $user = array()) {
if ($time != 0)
$time = $time + time();
if ($user)
$value = json_encode(array("uid" => $user["uid"],
"hash" => cookie_hash($user),
"ip" => $_SERVER['REMOTE_ADDR']));
else
$value = "";
setcookie("Friendica", $value, $time, "/", "",
(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);
}
function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) { function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) {
$a = get_app(); $a = get_app();
@ -94,6 +130,24 @@ function authenticate_success($user_record, $login_initial = false, $interactive
} }
if ($login_initial) {
// If the user specified to remember the authentication, then set a cookie
// that expires after one week (the default is when the browser is closed).
// The cookie will be renewed automatically.
// The week ensures that sessions will expire after some inactivity.
if ($_SESSION['remember']) {
logger('Injecting cookie for remembered user '. $_SESSION['remember_user']['nickname']);
new_cookie(604800, $user_record);
unset($_SESSION['remember']);
}
else {
new_cookie(0); // 0 means delete on browser exit
}
}
if ($login_initial) { if ($login_initial) {
call_hooks('logged_in', $a->user); call_hooks('logged_in', $a->user);

2
mod/openid.php
View file

@ -30,7 +30,7 @@ function openid_content(App $a) {
// mod/settings.php in 8367cad so it might have left mixed // mod/settings.php in 8367cad so it might have left mixed
// records in the user table // records in the user table
// //
$r = q("SELECT * FROM `user` $r = q("SELECT *, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` FROM `user`
WHERE ( `openid` = '%s' OR `openid` = '%s' ) WHERE ( `openid` = '%s' OR `openid` = '%s' )
AND `blocked` = 0 AND `account_expired` = 0 AND `blocked` = 0 AND `account_expired` = 0
AND `account_removed` = 0 AND `verified` = 1 AND `account_removed` = 0 AND `verified` = 1