open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #31 from visit1985/persistentcookies

Browse Source 
reresubmit: improved persistent cookies :)
remotes/origin/stable5
Lukas Reschke 12 years ago
parent b08a1696f5 8be9c04a3a
commit 59404b5675
3 changed files with 70 additions and 14 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      config/config.sample.php
  2. 70
      lib/base.php
  3. 9
      lib/user.php

3
config/config.sample.php
Unescape View File

@ -92,6 +92,9 @@ $CONFIG = array(
/* Loglevel to start logging at. 0=DEBUG, 1=INFO, 2=WARN, 3=ERROR (default is WARN) */
"loglevel" => "",
/* Lifetime of the remember login cookie, default is 15 days */
"remember_login_cookie_lifetime" => 60*60*24*15,
/* The directory where the user data is stored, default to data in the owncloud
* directory. The sqlite database is also stored here, when sqlite is used.
*/

70
lib/base.php
Unescape View File

@ -264,8 +264,30 @@ class OC{
}
public static function initSession() {
// prevents javascript from accessing php session cookies
ini_set('session.cookie_httponly', '1;');
// (re)-initialize session
session_start();
// regenerate session id periodically to avoid session fixation
if (!isset($_SESSION['SID_CREATED'])) {
$_SESSION['SID_CREATED'] = time();
} else if (time() - $_SESSION['SID_CREATED'] > 900) {
session_regenerate_id(true);
$_SESSION['SID_CREATED'] = time();
}
// session timeout
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 3600)) {
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time() - 42000, '/');
}
session_unset();
session_destroy();
session_start();
}
$_SESSION['LAST_ACTIVITY'] = time();
}
public static function init() {
@ -453,6 +475,7 @@ class OC{
OC_App::loadApps();
OC_User::setupBackends();
if(isset($_GET["logout"]) and ($_GET["logout"])) {
OC_Preferences::deleteKey(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']);
OC_User::logout();
header("Location: ".OC::$WEBROOT.'/');
}else{
@ -514,6 +537,17 @@ class OC{
OC_Util::displayLoginPage(array_unique($error));
}
protected static function cleanupLoginTokens($user) {
$cutoff = time() - OC_Config::getValue('remember_login_cookie_lifetime', 60*60*24*15);
$tokens = OC_Preferences::getKeys($user, 'login_token');
foreach($tokens as $token) {
$time = OC_Preferences::getValue($user, 'login_token', $token);
if ($time < $cutoff) {
OC_Preferences::deleteKey($user, 'login_token', $token);
}
}
}
protected static function tryRememberLogin() {
if(!isset($_COOKIE["oc_remember_login"])
|| !isset($_COOKIE["oc_token"])
@ -527,15 +561,30 @@ class OC{
OC_Log::write('core', 'Trying to login from cookie', OC_Log::DEBUG);
}
// confirm credentials in cookie
if(isset($_COOKIE['oc_token']) && OC_User::userExists($_COOKIE['oc_username']) &&
OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") === $_COOKIE['oc_token'])
{
OC_User::setUserId($_COOKIE['oc_username']);
OC_Util::redirectToDefaultPage();
}
else {
OC_User::unsetMagicInCookie();
if(isset($_COOKIE['oc_token']) && OC_User::userExists($_COOKIE['oc_username'])) {
// delete outdated cookies
self::cleanupLoginTokens($_COOKIE['oc_username']);
// get stored tokens
$tokens = OC_Preferences::getKeys($_COOKIE['oc_username'], 'login_token');
// test cookies token against stored tokens
if (in_array($_COOKIE['oc_token'], $tokens, true)) {
// replace successfully used token with a new one
OC_Preferences::deleteKey($_COOKIE['oc_username'], 'login_token', $_COOKIE['oc_token']);
$token = OC_Util::generate_random_bytes(32);
OC_Preferences::setValue($_COOKIE['oc_username'], 'login_token', $token, time());
OC_User::setMagicInCookie($_COOKIE['oc_username'], $token);
// login
OC_User::setUserId($_COOKIE['oc_username']);
OC_Util::redirectToDefaultPage();
// doesn't return
}
// if you reach this point you have changed your password
// or you are an attacker
// we can not delete tokens here because users may reach
// this point multiple times after a password change
OC_Log::write('core', 'Authentication cookie rejected for user '.$_COOKIE['oc_username'], OC_Log::WARN);
}
OC_User::unsetMagicInCookie();
return true;
}
@ -550,12 +599,13 @@ class OC{
OC_User::setupBackends();
if(OC_User::login($_POST["user"], $_POST["password"])) {
self::cleanupLoginTokens($_POST['user']);
if(!empty($_POST["remember_login"])) {
if(defined("DEBUG") && DEBUG) {
OC_Log::write('core', 'Setting remember login to cookie', OC_Log::DEBUG);
}
$token = md5($_POST["user"].time().$_POST['password']);
OC_Preferences::setValue($_POST['user'], 'login', 'token', $token);
$token = OC_Util::generate_random_bytes(32);
OC_Preferences::setValue($_POST['user'], 'login_token', $token, time());
OC_User::setMagicInCookie($_POST["user"], $token);
}
else {

9
lib/user.php
Unescape View File

@ -329,6 +329,8 @@ class OC_User {
}
}
}
// invalidate all login cookies
OC_Preferences::deleteApp($uid, 'login_token');
OC_Hook::emit( "OC_User", "post_setPassword", array( "uid" => $uid, "password" => $password ));
return $success;
}
@ -472,9 +474,10 @@ class OC_User {
*/
public static function setMagicInCookie($username, $token) {
$secure_cookie = OC_Config::getValue("forcessl", false);
setcookie("oc_username", $username, time()+60*60*24*15, '', '', $secure_cookie);
setcookie("oc_token", $token, time()+60*60*24*15, '', '', $secure_cookie);
setcookie("oc_remember_login", true, time()+60*60*24*15, '', '', $secure_cookie);
$expires = time() + OC_Config::getValue('remember_login_cookie_lifetime', 60*60*24*15);
setcookie("oc_username", $username, $expires, '', '', $secure_cookie);
setcookie("oc_token", $token, $expires, '', '', $secure_cookie);
setcookie("oc_remember_login", true, $expires, '', '', $secure_cookie);
}
/**

Write Preview
Loading…
Cancel
Save