From df6304cc423db5efceedfa4a523425e011f65d96 Mon Sep 17 00:00:00 2001
From: Sandro Santilli <strk@kbt.io>
Date: Sun, 12 Mar 2017 01:11:35 +0100
Subject: [PATCH] Fix "remember me" cookie for OpenID logins

Closes #2432

NOTE: in order to obtain the same "cookie hash" it was required
to include unneeded fields in the user record structure, this would
be good to change in the future...
---
 include/auth.php     | 48 ++-------------------------------------
 include/security.php | 54 ++++++++++++++++++++++++++++++++++++++++++++
 mod/openid.php       |  2 +-
 3 files changed, 57 insertions(+), 47 deletions(-)

diff --git a/include/auth.php b/include/auth.php
index e3c8d92eeb..62ca3563a4 100644
--- a/include/auth.php
+++ b/include/auth.php
@@ -125,6 +125,7 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
 				$openid = new LightOpenID;
 				$openid->identity = $openid_url;
 				$_SESSION['openid'] = $openid_url;
+				$_SESSION['remember'] = $_POST['remember'];
 				$openid->returnUrl = App::get_baseurl(true).'/openid';
 				goaway($openid->authUrl());
 			} catch (Exception $e) {
@@ -178,17 +179,8 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
 			goaway(z_root());
 		}
 
-		// If the user specified to remember the authentication, then set a cookie
-		// that expires after one week (the default is when the browser is closed).
-		// The cookie will be renewed automatically.
-		// The week ensures that sessions will expire after some inactivity.
-		if ($_POST['remember'])
-			new_cookie(604800, $r[0]);
-		else
-			new_cookie(0); // 0 means delete on browser exit
-
 		// if we haven't failed up this point, log them in.
-
+		$_SESSION['remember'] = $_POST['remember'];
 		$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
 		authenticate_success($record, true, true);
 	}
@@ -203,39 +195,3 @@ function nuke_session() {
 	session_unset();
 	session_destroy();
 }
-
-/**
- * @brief Calculate the hash that is needed for the "Friendica" cookie
- *
- * @param array $user Record from "user" table
- *
- * @return string Hashed data
- */
-function cookie_hash($user) {
-	return(hash("sha256", get_config("system", "site_prvkey").
-				$user["uprvkey"].
-				$user["password"]));
-}
-
-/**
- * @brief Set the "Friendica" cookie
- *
- * @param int $time
- * @param array $user Record from "user" table
- */
-function new_cookie($time, $user = array()) {
-
-	if ($time != 0)
-		$time = $time + time();
-
-	if ($user)
-		$value = json_encode(array("uid" => $user["uid"],
-					"hash" => cookie_hash($user),
-					"ip" => $_SERVER['REMOTE_ADDR']));
-	else
-		$value = "";
-
-	setcookie("Friendica", $value, $time, "/", "",
-		(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);
-
-}
diff --git a/include/security.php b/include/security.php
index c379518562..93df6ff255 100644
--- a/include/security.php
+++ b/include/security.php
@@ -1,5 +1,41 @@
 <?php
 
+/**
+ * @brief Calculate the hash that is needed for the "Friendica" cookie
+ *
+ * @param array $user Record from "user" table
+ *
+ * @return string Hashed data
+ */
+function cookie_hash($user) {
+	return(hash("sha256", get_config("system", "site_prvkey").
+				$user["uprvkey"].
+				$user["password"]));
+}
+
+/**
+ * @brief Set the "Friendica" cookie
+ *
+ * @param int $time
+ * @param array $user Record from "user" table
+ */
+function new_cookie($time, $user = array()) {
+
+	if ($time != 0)
+		$time = $time + time();
+
+	if ($user)
+		$value = json_encode(array("uid" => $user["uid"],
+					"hash" => cookie_hash($user),
+					"ip" => $_SERVER['REMOTE_ADDR']));
+	else
+		$value = "";
+
+	setcookie("Friendica", $value, $time, "/", "",
+		(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);
+
+}
+
 function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) {
 
 	$a = get_app();
@@ -94,6 +130,24 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 
 
 	}
+
+	if ($login_initial) {
+		// If the user specified to remember the authentication, then set a cookie
+		// that expires after one week (the default is when the browser is closed).
+		// The cookie will be renewed automatically.
+		// The week ensures that sessions will expire after some inactivity.
+		if ($_SESSION['remember']) {
+			logger('Injecting cookie for remembered user '. $_SESSION['remember_user']['nickname']);
+			new_cookie(604800, $user_record);
+			unset($_SESSION['remember']);
+		}
+		else {
+			new_cookie(0); // 0 means delete on browser exit
+		}
+	}
+
+
+
 	if ($login_initial) {
 		call_hooks('logged_in', $a->user);
 
diff --git a/mod/openid.php b/mod/openid.php
index 59a7530140..b45cd97975 100644
--- a/mod/openid.php
+++ b/mod/openid.php
@@ -30,7 +30,7 @@ function openid_content(App $a) {
 			//       mod/settings.php in 8367cad so it might have left mixed
 			//       records in the user table
 			//
-			$r = q("SELECT * FROM `user`
+			$r = q("SELECT *, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` FROM `user`
 				WHERE ( `openid` = '%s' OR `openid` = '%s' )
 				AND `blocked` = 0 AND `account_expired` = 0
 				AND `account_removed` = 0 AND `verified` = 1