Etusivu Tutki Apua
Kirjaudu sisään
fusionpbx
/
fusionpbx-framework
peilaus alkaen https://github.com/fusionpbx/fusionpbx-framework.git
2
0
Fork 0
Tiedostot Ongelmat 0 Wiki
Selaa lähdekoodia

Security - Update session validation and regenerate session id on login

FusionPBX 1 vuosi sitten
vanhempi
a60fac9ca8
commit
bbf714f218
2 muutettua tiedostoa jossa 26 lisäystä ja 6 poistoa
Yhdistetty näkymä Näytä diff tilastot
  1. 14 4
      core/authentication/resources/classes/authentication.php
  2. 12 2
      resources/check_auth.php

+ 14 - 4
core/authentication/resources/classes/authentication.php
Näytä tiedosto 

@@ -169,12 +169,15 @@ class authentication {
 
 // 			}
 
 // 			}
 
 // 			$result["authorized"] = $authorized;
 
 // 			$result["authorized"] = $authorized;
 
 
 
-		//add user logs
 
+		//add the result to the user logs
 
 			user_logs::add($result);
 
 			user_logs::add($result);
 
 
 
 		//user is authorized - get user settings, check user cidr
 
 		//user is authorized - get user settings, check user cidr
 
 			if ($authorized) {
 
 			if ($authorized) {
 
 
 
+				//regenerate the session on login
 
+					session_regenerate_id(true);
 
+
 
 				//set a session variable to indicate authorized is set to true
 
 				//set a session variable to indicate authorized is set to true
 
 					$_SESSION['authorized'] = true;
 
 					$_SESSION['authorized'] = true;
 
 
 
@@ -229,8 +232,15 @@ class authentication {
 
 					$_SESSION["user_uuid"] = $result["user_uuid"];
 
 					$_SESSION["user_uuid"] = $result["user_uuid"];
 
 					$_SESSION["context"] = $result['domain_name'];
 
 					$_SESSION["context"] = $result['domain_name'];
 
 
 
-				//used to validate the session
 
-					$_SESSION["user_hash"] = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
 
+				//build the session server array to validate the session
 
+					global $conf;
 
+					if (!isset($conf['session.validate'])) { $conf['session.validate'][] = 'HTTP_USER_AGENT'; }
 
+					foreach($conf['session.validate'] as $name) {
 
+						$server_array[$name] = $_SERVER[$name];
 
+					}
 
+
 
+				//save the user hash to be used in validate the session
 
+					$_SESSION["user_hash"] = hash('sha256', implode($server_array));
 
 
 
 				//user session array
 
 				//user session array
 
 					$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
 
 					$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
 
@@ -448,4 +458,4 @@ $response = $auth->validate();
 
 print_r($response);
 
 print_r($response);
 
 */
 
 */
 
 
 
-?>
 
+?>

+ 12 - 2
resources/check_auth.php
Näytä tiedosto 

@@ -75,8 +75,18 @@
 
 		$_SESSION['authorized'] = false;
 
 		$_SESSION['authorized'] = false;
 
 	}
 
 	}
 
 
 
-//validate the session address
 
-	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) {
 
+//session validate: use HTTP_USER_AGENT as a default value
 
+	if (!isset($conf['session.validate'])) {
 
+		$conf['session.validate'][] = 'HTTP_USER_AGENT';
 
+	}
 
+
 
+//session validate: prepare the server array
 
+	foreach($conf['session.validate'] as $name) {
 
+		$server_array[$name] = $_SERVER[$name];
 
+	}
 
+
 
+//session validate: check to see if the session is valid
 
+	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', implode($server_array))) {
 
 		session_destroy();
 
 		session_destroy();
 
 		header("Location: ".PROJECT_PATH."/logout.php");
 
 		header("Location: ".PROJECT_PATH."/logout.php");
 
 	}
 
 	}