Changeset 6134 in subversion


Ignore:
Timestamp:
Apr 30, 2012 5:04:53 PM (14 months ago)
Author:
thomasb
Message:

Accept two past time slots for auth cookie validation; don't encode user-agent into session auth hash (#1488449)

Location:
trunk/roundcubemail/program/include
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/roundcubemail/program/include/rcube.php

    r6121 r6134  
    477477        } 
    478478 
    479         $this->session->set_secret($this->config->get('des_key') . $_SERVER['HTTP_USER_AGENT']); 
     479        $this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME'])); 
    480480        $this->session->set_ip_check($this->config->get('ip_check')); 
    481481    } 

  • trunk/roundcubemail/program/include/rcube_session.php

    r6092 r6134  
    4444  private $key; 
    4545  private $now; 
    46   private $prev; 
    4746  private $secret = ''; 
    4847  private $ip_check = false; 
     
    520519      $now = time(); 
    521520      $this->now = $now - ($now % ($this->lifetime / 2)); 
    522       $this->prev = $this->now - ($this->lifetime / 2); 
    523521  } 
    524522 
     
    591589 
    592590    if ($result && $this->_mkcookie($this->now) != $this->cookie) { 
    593       // Check if using id from previous time slot 
    594       if ($this->_mkcookie($this->prev) == $this->cookie) { 
    595         $this->set_auth_cookie(); 
    596       } 
    597       else { 
    598         $result = false; 
    599         $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent"); 
    600       } 
    601     } 
     591      $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now)); 
     592      $result = false; 
     593 
     594      // Check if using id from a previous time slot 
     595      for ($i = 1; $i <= 2; $i++) { 
     596        $prev = $this->now - ($this->lifetime / 2) * $i; 
     597        if ($this->_mkcookie($prev) == $this->cookie) { 
     598          $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie); 
     599          $this->set_auth_cookie(); 
     600          $result = true; 
     601        } 
     602      } 
     603        } 
     604 
     605    if (!$result) 
     606      $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev)); 
    602607 
    603608    return $result; 
Note: See TracChangeset for help on using the changeset viewer.