Changeset 521 in subversion

Timestamp:

Mar 27, 2007 5:34:30 AM (6 years ago)

Author:

thomasb

Message:

New session authentication, should fix bugs #1483951 and #1484299; testing required

Location:

trunk/roundcubemail

Files:

• CHANGELOG (modified) (1 diff)
• UPGRADING (modified) (1 diff)
• config/main.inc.php.dist (modified) (1 diff)
• index.php (modified) (4 diffs)
• program/include/main.inc (modified) (5 diffs)
• program/include/session.inc (modified) (6 diffs)

trunk/roundcubemail/CHANGELOG

@@ -1 +1 @@
 CHANGELOG RoundCube Webmail
 ---------------------------
+
+2007/03/27 (thomasb)
+----------
+- New session authentication: Change sessid cookie when login, authentication with sessauth cookie is now configurable.
+  Should close bugs #1483951 and #1484299
+
 
 2007/03/23 (thomasb)

trunk/roundcubemail/UPGRADING

@@ -17 +17 @@
   $rcmail_config['preview_pane'] = TRUE;
   $rcmail_config['date_today'] = 'H:i';
+  $rcmail_config['double_auth'] = TRUE;
 
 

trunk/roundcubemail/config/main.inc.php.dist

@@ -98 +98 @@
 
 // check client IP in session athorization
-$rcmail_config['ip_check'] = TRUE;
+$rcmail_config['ip_check'] = false;
+
+// Use an additional frequently changing cookie to athenticate user sessions.
+// There have been problems reported with this feature.
+$rcmail_config['double_auth'] = false;
 
 // this key is used to encrypt the users imap password which is stored

trunk/roundcubemail/index.php

@@ -3 +3 @@
  +-----------------------------------------------------------------------+
  | RoundCube Webmail IMAP Client                                         |
- | Version 0.1-20070301                                                  |
+ | Version 0.1-20070327                                                  |
  |                                                                       |
  | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
@@ -41 +41 @@
 */
 
-define('RCMAIL_VERSION', '0.1-20070301');
+define('RCMAIL_VERSION', '0.1-20070327');
 
 // define global vars
@@ -173 +173 @@
     show_message("cookiesdisabled", 'warning');
     }
-  else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
+  else if ($_SESSION['temp'] && isset($_POST['_user']) && isset($_POST['_pass']) &&
            rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
               get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'), $host))
     {
+    // create new session ID
+    unset($_SESSION['temp']);
+    sess_regenerate_id();
+
+    // send auth cookie if necessary
+    rcmail_authenticate_session();
+
     // send redirect
     header("Location: $COMM_PATH");
@@ -198 +205 @@
 else if ($_action != 'login' && $_SESSION['user_id'] && $_action != 'send')
   {
-  if (!rcmail_authenticate_session() ||
-      (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))
+  if (!rcmail_authenticate_session())
     {
     $message = show_message('sessionerror', 'error');

trunk/roundcubemail/program/include/main.inc

@@ -34 +34 @@
 function rcmail_startup($task='mail')
   {
-  global $sess_id, $sess_auth, $sess_user_lang;
+  global $sess_id, $sess_user_lang;
   global $CONFIG, $INSTALL_PATH, $BROWSER, $OUTPUT, $_SESSION, $IMAP, $DB, $JS_OBJECT_NAME;
 
@@ -54 +54 @@
   $DB->db_connect('w');
 
-  // we can use the database for storing session data
-  if (!$DB->is_error())
-    include_once('include/session.inc');
+  // use database for storing session data
+  include_once('include/session.inc');
 
   // init session
@@ -66 +65 @@
     {
     $_SESSION['user_lang'] = rcube_language_prop($CONFIG['locale_string']);
-    $_SESSION['auth_time'] = mktime();
-    setcookie('sessauth', rcmail_auth_hash($sess_id, $_SESSION['auth_time']));
+    $_SESSION['auth_time'] = time();
+    $_SESSION['temp'] = true;
     }
 
@@ -179 +178 @@
 function rcmail_authenticate_session()
   {
-  $now = mktime();
-  $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) ||
-                                                $_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth']));
-
-  // renew auth cookie every 5 minutes (only for GET requests)
-  if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300))
-    {
-    $_SESSION['last_auth'] = $_SESSION['auth_time'];
-    $_SESSION['auth_time'] = $now;
-    setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
-    }
+  global $CONFIG, $SESS_CLIENT_IP, $SESS_CHANGED;
+  
+  // advanced session authentication
+  if ($CONFIG['double_auth'])
+  {
+    $now = time();
+    $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) ||
+              $_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth']));
+
+    // renew auth cookie every 5 minutes (only for GET requests)
+    if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300))
+    {
+      $_SESSION['last_auth'] = $_SESSION['auth_time'];
+      $_SESSION['auth_time'] = $now;
+      setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
+    }
+  }
+  else
+    $valid = $CONFIG['ip_check'] ? $_SERVER['REMOTE_ADDR'] == $SESS_CLIENT_IP : true;
+  
+  // check session filetime
+  if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time())
+    $valid = false;
 
   return $valid;
@@ -276 +287 @@
     }
 
-  $_SESSION = array();
-  session_destroy();
+  $_SESSION = array('user_lang' => $GLOBALS['sess_user_lang'], 'auth_time' => time(), 'temp' => true);
+  setcookie('sessauth', '-del-', time()-60);
   }
 

trunk/roundcubemail/program/include/session.inc

@@ -37 +37 @@
 function sess_read($key)
   {
-  global $DB, $SESS_CHANGED;
+  global $DB, $SESS_CHANGED, $SESS_CLIENT_IP;
+  
+  if ($DB->is_error())
+    return FALSE;
   
   $sql_result = $DB->query("SELECT vars, ip, ".$DB->unixtimestamp('changed')." AS changed
@@ -47 +50 @@
     {
     $SESS_CHANGED = $sql_arr['changed'];
+    $SESS_CLIENT_IP = $sql_arr['ip'];
 
     if (strlen($sql_arr['vars']))
@@ -60 +64 @@
   {
   global $DB;
+  
+  if ($DB->is_error())
+    return FALSE;
 
   $sql_result = $DB->query("SELECT 1
@@ -97 +104 @@
   global $DB;
   
+  if ($DB->is_error())
+    return FALSE;
+  
   // delete session entries in cache table
   $DB->query("DELETE FROM ".get_table_name('cache')."
@@ -114 +124 @@
   {
   global $DB;
+
+  if ($DB->is_error())
+    return FALSE;
 
   // get all expired sessions  
@@ -145 +158 @@
 
 
+function sess_regenerate_id()
+  {
+  $randlen = 32;
+  $randval = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  $random = "";
+  for ($i=1; $i <= $randlen; $i++)
+    $random .= substr($randval, rand(0,(strlen($randval) - 1)), 1);
+
+  // use md5 value for id or remove capitals from string $randval
+  $random = md5($random);
+
+  // delete old session record
+  sess_destroy(session_id());
+
+  session_id($random);
+  $cookie = session_get_cookie_params();
+  setcookie(session_name(), $random, $cookie['lifetime'], $cookie['path']);
+
+  return true;
+  }
+
+
 // set custom functions for PHP session management
 session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy', 'sess_gc');