strk/friendica
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #3221 from strk/remember-openid

Browse source 
Fix "remember me" cookie for OpenID logins
This commit is contained in:
Michael Vogel 2017-03-14 16:30:15 +01:00 committed by GitHub
parent 3061a37b4f 0b46a5f935
commit a7e8e86800
3 changed files with 59 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
include/auth.php
View file

@ -125,6 +125,7 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
$openid = new LightOpenID; $openid = new LightOpenID;
$openid->identity = $openid_url; $openid->identity = $openid_url;
$_SESSION['openid'] = $openid_url; $_SESSION['openid'] = $openid_url;
$_SESSION['remember'] = $_POST['remember'];
$openid->returnUrl = App::get_baseurl(true).'/openid'; $openid->returnUrl = App::get_baseurl(true).'/openid';
goaway($openid->authUrl()); goaway($openid->authUrl());
} catch (Exception $e) { } catch (Exception $e) {
@ -178,17 +179,12 @@ if (isset($_SESSION) && x($_SESSION,'authenticated') && (!x($_POST,'auth-params'
goaway(z_root()); goaway(z_root());
} }
// If the user specified to remember the authentication, then set a cookie if (! $_POST['remember']) {
// that expires after one week (the default is when the browser is closed).
// The cookie will be renewed automatically.
// The week ensures that sessions will expire after some inactivity.
if ($_POST['remember'])
new_cookie(604800, $r[0]);
else
new_cookie(0); // 0 means delete on browser exit new_cookie(0); // 0 means delete on browser exit
}
// if we haven't failed up this point, log them in. // if we haven't failed up this point, log them in.
$_SESSION['remember'] = $_POST['remember'];
$_SESSION['last_login_date'] = datetime_convert('UTC','UTC'); $_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
authenticate_success($record, true, true); authenticate_success($record, true, true);
} }
@ -203,39 +199,3 @@ function nuke_session() {
session_unset(); session_unset();
session_destroy(); session_destroy();
} }
/**
* @brief Calculate the hash that is needed for the "Friendica" cookie
*
* @param array $user Record from "user" table
*
* @return string Hashed data
*/
function cookie_hash($user) {
return(hash("sha256", get_config("system", "site_prvkey").
$user["uprvkey"].
$user["password"]));
}
/**
* @brief Set the "Friendica" cookie
*
* @param int $time
* @param array $user Record from "user" table
*/
function new_cookie($time, $user = array()) {
if ($time != 0)
$time = $time + time();
if ($user)
$value = json_encode(array("uid" => $user["uid"],
"hash" => cookie_hash($user),
"ip" => $_SERVER['REMOTE_ADDR']));
else
$value = "";
setcookie("Friendica", $value, $time, "/", "",
(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);
}

54
include/security.php
View file

@ -1,5 +1,44 @@
<?php <?php
/**
* @brief Calculate the hash that is needed for the "Friendica" cookie
*
* @param array $user Record from "user" table
*
* @return string Hashed data
*/
function cookie_hash($user) {
return(hash("sha256", get_config("system", "site_prvkey").
$user["uprvkey"].
$user["password"]));
}
/**
* @brief Set the "Friendica" cookie
*
* @param int $time
* @param array $user Record from "user" table
*/
function new_cookie($time, $user = array()) {
if ($time != 0) {
$time = $time + time();
}
if ($user) {
$value = json_encode(array("uid" => $user["uid"],
"hash" => cookie_hash($user),
"ip" => $_SERVER['REMOTE_ADDR']));
}
else {
$value = "";
}
setcookie("Friendica", $value, $time, "/", "",
(get_config('system', 'ssl_policy') == SSL_POLICY_FULL), true);
}
function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) { function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) {
$a = get_app(); $a = get_app();
@ -94,6 +133,21 @@ function authenticate_success($user_record, $login_initial = false, $interactive
} }
if ($login_initial) {
// If the user specified to remember the authentication, then set a cookie
// that expires after one week (the default is when the browser is closed).
// The cookie will be renewed automatically.
// The week ensures that sessions will expire after some inactivity.
if ($_SESSION['remember']) {
logger('Injecting cookie for remembered user '. $_SESSION['remember_user']['nickname']);
new_cookie(604800, $user_record);
unset($_SESSION['remember']);
}
}
if ($login_initial) { if ($login_initial) {
call_hooks('logged_in', $a->user); call_hooks('logged_in', $a->user);

2
mod/openid.php
View file

@ -30,7 +30,7 @@ function openid_content(App $a) {
// mod/settings.php in 8367cad so it might have left mixed // mod/settings.php in 8367cad so it might have left mixed
// records in the user table // records in the user table
// //
$r = q("SELECT * FROM `user` $r = q("SELECT *, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` FROM `user`
WHERE ( `openid` = '%s' OR `openid` = '%s' ) WHERE ( `openid` = '%s' OR `openid` = '%s' )
AND `blocked` = 0 AND `account_expired` = 0 AND `blocked` = 0 AND `account_expired` = 0
AND `account_removed` = 0 AND `verified` = 1 AND `account_removed` = 0 AND `verified` = 1