From 9b66b5eee37c1a3958d9ddccb9c1a06ac7ef49ce Mon Sep 17 00:00:00 2001 From: redmatrix Date: Fri, 8 Apr 2016 04:44:10 -0700 Subject: objectify all the session management stuff --- Zotlabs/Web/Session.php | 91 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 Zotlabs/Web/Session.php (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php new file mode 100644 index 000000000..ff0070d15 --- /dev/null +++ b/Zotlabs/Web/Session.php @@ -0,0 +1,91 @@ + $v) { + unset($_SESSION[$k]); + } + } + } + + + + function new_cookie($time) { + + $old_sid = session_id(); + + session_regenerate_id(false); + + q("UPDATE session SET sid = '%s' WHERE sid = '%s'", + dbesc(session_id()), + dbesc($old_sid) + ); + + if (x($_COOKIE, 'jsAvailable')) { + if ($time) { + $expires = time() + $time; + } else { + $expires = 0; + } + setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires); + } + setcookie(session_name(),session_id(),$expires); + } + + +} \ No newline at end of file -- cgit v1.2.3 From c0bdcfedeb8c5b8753587ac77d5b90d48698ec66 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Fri, 8 Apr 2016 05:10:36 -0700 Subject: log if the session handler fails and surface the ssl_cookie config setting --- Zotlabs/Web/Session.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index ff0070d15..494c02b1d 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -27,7 +27,9 @@ class Session { $handler = new \Zotlabs\Web\SessionHandler(); - session_set_save_handler($handler,true); + $x = session_set_save_handler($handler,true); + if(! $x) + logger('Session save handler initialisation failed.',LOGGER_NORMAL,LOG_ERR); // Force cookies to be secure (https only) if this site is SSL enabled. // Must be done before session_start(). -- cgit v1.2.3 From abfbe9c9375c7505e0422b8adc1d9d5426d7df1a Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 10 Apr 2016 16:56:08 -0700 Subject: a few issues: block public not blocking mod_cal, typo in sql for one clone file sync operation, fix_system_urls not catching cached contact photos, extend sessionhandler expiration when remember_me is enabled as the stored session is expiring long before the browser session. --- Zotlabs/Web/Session.php | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 494c02b1d..d25ce5f6a 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -13,6 +13,8 @@ namespace Zotlabs\Web; class Session { + private static $handler = null; + function init() { $gc_probability = 50; @@ -26,6 +28,7 @@ class Session { */ $handler = new \Zotlabs\Web\SessionHandler(); + self::$handler = $handler; $x = session_set_save_handler($handler,true); if(! $x) @@ -67,26 +70,28 @@ class Session { - function new_cookie($time) { + function new_cookie($xtime) { + + $newxtime = (($xtime> 0) ? (time() + $xtime) : 0); $old_sid = session_id(); session_regenerate_id(false); - q("UPDATE session SET sid = '%s' WHERE sid = '%s'", - dbesc(session_id()), - dbesc($old_sid) - ); + if(self::$handler) { + $v = q("UPDATE session SET sid = '%s' WHERE sid = '%s'", + dbesc(session_id()), + dbesc($old_sid) + ); + } + else + logger('no session handler'); if (x($_COOKIE, 'jsAvailable')) { - if ($time) { - $expires = time() + $time; - } else { - $expires = 0; - } - setcookie('jsAvailable', $_COOKIE['jsAvailable'], $expires); + setcookie('jsAvailable', $_COOKIE['jsAvailable'], $newxtime); } - setcookie(session_name(),session_id(),$expires); + setcookie(session_name(),session_id(),$newxtime); + } -- cgit v1.2.3 From d1a2aecfa05927b79350500b7c0f9d9b978afbeb Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 10 Apr 2016 19:20:41 -0700 Subject: move more session related stuff such as paranoia handling (IP address changes) into the session object and extend remember_me cookies once a day so that they will never expire (theoretically). The DB session driver will extend its expiration on every session write (in the case of persistent sessions). --- Zotlabs/Web/Session.php | 59 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index d25ce5f6a..e5fe47386 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -68,8 +68,6 @@ class Session { } } - - function new_cookie($xtime) { $newxtime = (($xtime> 0) ? (time() + $xtime) : 0); @@ -94,5 +92,62 @@ class Session { } + function extend_cookie() { + + // if there's a long-term cookie, extend it + + if(intval($_SESSION['remember_me'])) + setcookie(session_name(),session_id(),(time() + (60 * 60 * 24 * 365))); + + } + + + function return_check() { + + // check a returning visitor against IP changes. + // If the change results in being blocked from re-entry with the current cookie + // nuke the session and logout. + // Returning at all indicates the session is still valid. + + // first check if we're enforcing that sessions can't change IP address + // @todo what to do with IPv6 addresses + + if($_SESSION['addr'] && $_SESSION['addr'] != $_SERVER['REMOTE_ADDR']) { + logger('SECURITY: Session IP address changed: ' . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + + $partial1 = substr($_SESSION['addr'], 0, strrpos($_SESSION['addr'], '.')); + $partial2 = substr($_SERVER['REMOTE_ADDR'], 0, strrpos($_SERVER['REMOTE_ADDR'], '.')); + + $paranoia = intval(get_pconfig($_SESSION['uid'], 'system', 'paranoia')); + + if(! $paranoia) + $paranoia = intval(get_config('system', 'paranoia')); + + switch($paranoia) { + case 0: + // no IP checking + break; + case 2: + // check 2 octets + $partial1 = substr($partial1, 0, strrpos($partial1, '.')); + $partial2 = substr($partial2, 0, strrpos($partial2, '.')); + if($partial1 == $partial2) + break; + case 1: + // check 3 octets + if($partial1 == $partial2) + break; + case 3: + default: + // check any difference at all + logger('Session address changed. Paranoid setting in effect, blocking session. ' + . $_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']); + self::nuke(); + goaway(z_root()); + break; + } + } + return true; + } } \ No newline at end of file -- cgit v1.2.3 From 482962648fa2f3219e979586abcfbc5c90fcb97f Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Mon, 11 Apr 2016 11:01:53 +0200 Subject: whitespace --- Zotlabs/Web/Session.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index e5fe47386..68af74521 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -37,16 +37,16 @@ class Session { // Force cookies to be secure (https only) if this site is SSL enabled. // Must be done before session_start(). - if(intval(\App::$config['system']['ssl_cookie_protection'])) { - $arr = session_get_cookie_params(); - session_set_cookie_params( - ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), - ((isset($arr['path'])) ? $arr['path'] : '/'), - ((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()), - ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), - ((isset($arr['httponly'])) ? $arr['httponly'] : true) + if(intval(\App::$config['system']['ssl_cookie_protection'])) { + $arr = session_get_cookie_params(); + session_set_cookie_params( + ((isset($arr['lifetime'])) ? $arr['lifetime'] : 0), + ((isset($arr['path'])) ? $arr['path'] : '/'), + ((isset($arr['domain'])) ? $arr['domain'] : App::get_hostname()), + ((isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') ? true : false), + ((isset($arr['httponly'])) ? $arr['httponly'] : true) ); - } + } } function start() { @@ -150,4 +150,4 @@ class Session { return true; } -} \ No newline at end of file +} -- cgit v1.2.3 From 202035fc68d8b2364436cef75d68ac2a610e42c0 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 11 Apr 2016 19:19:58 -0700 Subject: move all DB session storage logic to SessionHandler where it belongs --- Zotlabs/Web/Session.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 68af74521..0cd83c15e 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -77,10 +77,7 @@ class Session { session_regenerate_id(false); if(self::$handler) { - $v = q("UPDATE session SET sid = '%s' WHERE sid = '%s'", - dbesc(session_id()), - dbesc($old_sid) - ); + self::$handler->rename($old_sid,session_id()); } else logger('no session handler'); -- cgit v1.2.3 From 91cc36514306e827c126ceed6c17486c85f5544c Mon Sep 17 00:00:00 2001 From: redmatrix Date: Tue, 12 Apr 2016 22:55:26 -0700 Subject: reverse the logic of the jsenabled setting so that sessions without js are performance penalised instead of regular sessions. --- Zotlabs/Web/Session.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Web/Session.php') diff --git a/Zotlabs/Web/Session.php b/Zotlabs/Web/Session.php index 55536fdc7..f998df396 100644 --- a/Zotlabs/Web/Session.php +++ b/Zotlabs/Web/Session.php @@ -85,8 +85,8 @@ class Session { else logger('no session handler'); - if (x($_COOKIE, 'jsAvailable')) { - setcookie('jsAvailable', $_COOKIE['jsAvailable'], $newxtime); + if (x($_COOKIE, 'jsdisabled')) { + setcookie('jsdisabled', $_COOKIE['jsdisabled'], $newxtime); } setcookie(session_name(),session_id(),$newxtime); -- cgit v1.2.3