From df6304cc423db5efceedfa4a523425e011f65d96 Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Sun, 12 Mar 2017 01:11:35 +0100 Subject: [PATCH] Fix "remember me" cookie for OpenID logins Closes #2432 NOTE: in order to obtain the same "cookie hash" it was required to include unneeded fields in the user record structure, this would be good to change in the future... --- include/auth.php | 48 ++------------------------------------- include/security.php | 54 ++++++++++++++++++++++++++++++++++++++++++++ mod/openid.php | 2 +- 3 files changed, 57 insertions(+), 47 deletions(-) diff --git a/include/auth.php b/include/auth.php index e3c8d92eeb..62ca3563a4 100644 --- a/include/auth.php +++ b/include/auth.php @@ -125,6 +125,7 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params' $openid = new LightOpenID; $openid->identity = $openid_url; $_SESSION['openid'] = $openid_url; + $_SESSION['remember'] = $_POST['remember']; $openid->returnUrl = App::get_baseurl(true).'/openid'; goaway($openid->authUrl()); } catch (Exception $e) { @@ -178,17 +179,8 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params' goaway(z_root()); } - // If the user specified to remember the authentication, then set a cookie - // that expires after one week (the default is when the browser is closed). - // The cookie will be renewed automatically. - // The week ensures that sessions will expire after some inactivity. - if ($_POST['remember']) - new_cookie(604800, $r[0]); - else - new_cookie(0); // 0 means delete on browser exit - // if we haven't failed up this point, log them in. - + $_SESSION['remember'] = $_POST['remember']; $_SESSION['last_login_date'] = datetime_convert('UTC','UTC'); authenticate_success($record, true, true); } @@ -203,39 +195,3 @@ function nuke_session() { session_unset(); session_destroy(); } - -/** - * @brief Calculate the hash that is needed for the "Friendica" cookie - * - * @param array $user Record from "user" table - * - * @return string Hashed data - */ -function cookie_hash($user) { - return(hash("sha256", get_config("system", "site_prvkey"). - $user["uprvkey"]. - $user["password"])); -} - -/** - * @brief Set the "Friendica" cookie - * - * @param int $time - * @param array $user Record from "user" table - */ -function new_cookie($time, $user = array()) { - - if ($time != 0) - $time = $time + time(); - - if ($user) - $value = json_encode(array("uid" => $user["uid"], - "hash" => cookie_hash($user), - "ip" => $_SERVER['REMOTE_ADDR'])); - else - $value = ""; - - setcookie("Friendica", $value, $time, "/", "", - (get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true); - -} diff --git a/include/security.php b/include/security.php index c379518562..93df6ff255 100644 --- a/include/security.php +++ b/include/security.php @@ -1,5 +1,41 @@ $user["uid"], + "hash" => cookie_hash($user), + "ip" => $_SERVER['REMOTE_ADDR'])); + else + $value = ""; + + setcookie("Friendica", $value, $time, "/", "", + (get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true); + +} + function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) { $a = get_app(); @@ -94,6 +130,24 @@ function authenticate_success($user_record, $login_initial = false, $interactive } + + if ($login_initial) { + // If the user specified to remember the authentication, then set a cookie + // that expires after one week (the default is when the browser is closed). + // The cookie will be renewed automatically. + // The week ensures that sessions will expire after some inactivity. + if ($_SESSION['remember']) { + logger('Injecting cookie for remembered user '. $_SESSION['remember_user']['nickname']); + new_cookie(604800, $user_record); + unset($_SESSION['remember']); + } + else { + new_cookie(0); // 0 means delete on browser exit + } + } + + + if ($login_initial) { call_hooks('logged_in', $a->user); diff --git a/mod/openid.php b/mod/openid.php index 59a7530140..b45cd97975 100644 --- a/mod/openid.php +++ b/mod/openid.php @@ -30,7 +30,7 @@ function openid_content(App $a) { // mod/settings.php in 8367cad so it might have left mixed // records in the user table // - $r = q("SELECT * FROM `user` + $r = q("SELECT *, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` FROM `user` WHERE ( `openid` = '%s' OR `openid` = '%s' ) AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 -- 2.39.5