dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security - Update session validation and regenerate session id on login

This commit is contained in:
FusionPBX 2024-01-23 23:11:28 -07:00 committed by GitHub
parent cfbfd8ab52
commit 560a51cff7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
core/authentication/resources/classes/authentication.php
View File

@ -169,12 +169,15 @@ class authentication {
// } // }
// $result["authorized"] = $authorized; // $result["authorized"] = $authorized;
//add user logs //add the result to the user logs
user_logs::add($result); user_logs::add($result);
//user is authorized - get user settings, check user cidr //user is authorized - get user settings, check user cidr
if ($authorized) { if ($authorized) {
//regenerate the session on login
session_regenerate_id(true);
//set a session variable to indicate authorized is set to true //set a session variable to indicate authorized is set to true
$_SESSION['authorized'] = true; $_SESSION['authorized'] = true;
@ -229,8 +232,15 @@ class authentication {
$_SESSION["user_uuid"] = $result["user_uuid"]; $_SESSION["user_uuid"] = $result["user_uuid"];
$_SESSION["context"] = $result['domain_name']; $_SESSION["context"] = $result['domain_name'];
//used to validate the session //build the session server array to validate the session
$_SESSION["user_hash"] = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']); global $conf;
if (!isset($conf['session.validate'])) { $conf['session.validate'][] = 'HTTP_USER_AGENT'; }
foreach($conf['session.validate'] as $name) {
$server_array[$name] = $_SERVER[$name];
}
//save the user hash to be used in validate the session
$_SESSION["user_hash"] = hash('sha256', implode($server_array));
//user session array //user session array
$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"]; $_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
@ -448,4 +458,4 @@ $response = $auth->validate();
print_r($response); print_r($response);
*/ */
?> ?>

14
resources/check_auth.php
View File

@ -75,8 +75,18 @@
$_SESSION['authorized'] = false; $_SESSION['authorized'] = false;
} }
//validate the session address //session validate: use HTTP_USER_AGENT as a default value
if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) { if (!isset($conf['session.validate'])) {
$conf['session.validate'][] = 'HTTP_USER_AGENT';
}
//session validate: prepare the server array
foreach($conf['session.validate'] as $name) {
$server_array[$name] = $_SERVER[$name];
}
//session validate: check to see if the session is valid
if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', implode($server_array))) {
session_destroy(); session_destroy();
header("Location: ".PROJECT_PATH."/logout.php"); header("Location: ".PROJECT_PATH."/logout.php");
} }