From df6304cc423db5efceedfa4a523425e011f65d96 Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Sun, 12 Mar 2017 01:11:35 +0100 Subject: [PATCH 1/4] Fix "remember me" cookie for OpenID logins Closes #2432 NOTE: in order to obtain the same "cookie hash" it was required to include unneeded fields in the user record structure, this would be good to change in the future... --- include/auth.php | 48 ++------------------------------------- include/security.php | 54 ++++++++++++++++++++++++++++++++++++++++++++ mod/openid.php | 2 +- 3 files changed, 57 insertions(+), 47 deletions(-) diff --git a/include/auth.php b/include/auth.php index e3c8d92eeb..62ca3563a4 100644 --- a/include/auth.php +++ b/include/auth.php @@ -125,6 +125,7 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params' $openid = new LightOpenID; $openid->identity = $openid_url; $_SESSION['openid'] = $openid_url; + $_SESSION['remember'] = $_POST['remember']; $openid->returnUrl = App::get_baseurl(true).'/openid'; goaway($openid->authUrl()); } catch (Exception $e) { @@ -178,17 +179,8 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params' goaway(z_root()); } - // If the user specified to remember the authentication, then set a cookie - // that expires after one week (the default is when the browser is closed). - // The cookie will be renewed automatically. - // The week ensures that sessions will expire after some inactivity. - if ($_POST['remember']) - new_cookie(604800, $r[0]); - else - new_cookie(0); // 0 means delete on browser exit - // if we haven't failed up this point, log them in. - + $_SESSION['remember'] = $_POST['remember']; $_SESSION['last_login_date'] = datetime_convert('UTC','UTC'); authenticate_success($record, true, true); } @@ -203,39 +195,3 @@ function nuke_session() { session_unset(); session_destroy(); } - -/** - * @brief Calculate the hash that is needed for the "Friendica" cookie - * - * @param array $user Record from "user" table - * - * @return string Hashed data - */ -function cookie_hash($user) { - return(hash("sha256", get_config("system", "site_prvkey"). - $user["uprvkey"]. - $user["password"])); -} - -/** - * @brief Set the "Friendica" cookie - * - * @param int $time - * @param array $user Record from "user" table - */ -function new_cookie($time, $user = array()) { - - if ($time != 0) - $time = $time + time(); - - if ($user) - $value = json_encode(array("uid" => $user["uid"], - "hash" => cookie_hash($user), - "ip" => $_SERVER['REMOTE_ADDR'])); - else - $value = ""; - - setcookie("Friendica", $value, $time, "/", "", - (get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true); - -} diff --git a/include/security.php b/include/security.php index c379518562..93df6ff255 100644 --- a/include/security.php +++ b/include/security.php @@ -1,5 +1,41 @@ $user["uid"], + "hash" => cookie_hash($user), + "ip" => $_SERVER['REMOTE_ADDR'])); + else + $value = ""; + + setcookie("Friendica", $value, $time, "/", "", + (get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true); + +} + function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) { $a = get_app(); @@ -94,6 +130,24 @@ function authenticate_success($user_record, $login_initial = false, $interactive } + + if ($login_initial) { + // If the user specified to remember the authentication, then set a cookie + // that expires after one week (the default is when the browser is closed). + // The cookie will be renewed automatically. + // The week ensures that sessions will expire after some inactivity. + if ($_SESSION['remember']) { + logger('Injecting cookie for remembered user '. $_SESSION['remember_user']['nickname']); + new_cookie(604800, $user_record); + unset($_SESSION['remember']); + } + else { + new_cookie(0); // 0 means delete on browser exit + } + } + + + if ($login_initial) { call_hooks('logged_in', $a->user); diff --git a/mod/openid.php b/mod/openid.php index 59a7530140..b45cd97975 100644 --- a/mod/openid.php +++ b/mod/openid.php @@ -30,7 +30,7 @@ function openid_content(App $a) { // mod/settings.php in 8367cad so it might have left mixed // records in the user table // - $r = q("SELECT * FROM `user` + $r = q("SELECT *, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` FROM `user` WHERE ( `openid` = '%s' OR `openid` = '%s' ) AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 From cbaf196f509cc5b21f04574cbf80ddd3ecf9f8db Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Mon, 13 Mar 2017 11:57:10 +0100 Subject: [PATCH 2/4] Only remove the "remember me" cookie at submitting the auth form Fixes loss of remember (Friendica) cookie on switching Managed accounts --- include/auth.php | 4 ++++ include/security.php | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/include/auth.php b/include/auth.php index 62ca3563a4..8512abe486 100644 --- a/include/auth.php +++ b/include/auth.php @@ -179,6 +179,10 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params' goaway(z_root()); } + if ( ! $_POST['remember']) { + new_cookie(0); // 0 means delete on browser exit + } + // if we haven't failed up this point, log them in. $_SESSION['remember'] = $_POST['remember']; $_SESSION['last_login_date'] = datetime_convert('UTC','UTC'); diff --git a/include/security.php b/include/security.php index 93df6ff255..23fc400b3a 100644 --- a/include/security.php +++ b/include/security.php @@ -141,9 +141,6 @@ function authenticate_success($user_record, $login_initial = false, $interactive new_cookie(604800, $user_record); unset($_SESSION['remember']); } - else { - new_cookie(0); // 0 means delete on browser exit - } } From 8517ba1fab5257fbd3e5cb99677797b5dd9ed69e Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Mon, 13 Mar 2017 23:08:03 +0100 Subject: [PATCH 3/4] Remove extra space after open parentheses --- include/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/auth.php b/include/auth.php index 8512abe486..57e9d9bf61 100644 --- a/include/auth.php +++ b/include/auth.php @@ -179,7 +179,7 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params' goaway(z_root()); } - if ( ! $_POST['remember']) { + if (! $_POST['remember']) { new_cookie(0); // 0 means delete on browser exit } From 0b46a5f935e7e3a669e68455dce294dc70a94182 Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Mon, 13 Mar 2017 23:09:09 +0100 Subject: [PATCH 4/4] Standards: add braces (thanks @Hypolite) --- include/security.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/include/security.php b/include/security.php index 23fc400b3a..afb37a72d8 100644 --- a/include/security.php +++ b/include/security.php @@ -21,15 +21,18 @@ function cookie_hash($user) { */ function new_cookie($time, $user = array()) { - if ($time != 0) + if ($time != 0) { $time = $time + time(); + } - if ($user) + if ($user) { $value = json_encode(array("uid" => $user["uid"], "hash" => cookie_hash($user), "ip" => $_SERVER['REMOTE_ADDR'])); - else + } + else { $value = ""; + } setcookie("Friendica", $value, $time, "/", "", (get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);