dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security - Update session validation and regenerate session id on login

This commit is contained in:
FusionPBX 2024-01-23 23:11:28 -07:00 committed by GitHub
parent cfbfd8ab52
commit 560a51cff7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
core/authentication/resources/classes/authentication.php
View File

@ -169,12 +169,15 @@ class authentication {
// }
// $result["authorized"] = $authorized;
//add user logs
//add the result to the user logs
user_logs::add($result);
//user is authorized - get user settings, check user cidr
if ($authorized) {
//regenerate the session on login
session_regenerate_id(true);
//set a session variable to indicate authorized is set to true
$_SESSION['authorized'] = true;
@ -229,8 +232,15 @@ class authentication {
$_SESSION["user_uuid"] = $result["user_uuid"];
$_SESSION["context"] = $result['domain_name'];
//used to validate the session
$_SESSION["user_hash"] = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
//build the session server array to validate the session
global $conf;
if (!isset($conf['session.validate'])) { $conf['session.validate'][] = 'HTTP_USER_AGENT'; }
foreach($conf['session.validate'] as $name) {
$server_array[$name] = $_SERVER[$name];
}
//save the user hash to be used in validate the session
$_SESSION["user_hash"] = hash('sha256', implode($server_array));
//user session array
$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];

14
resources/check_auth.php
View File

@ -75,8 +75,18 @@
$_SESSION['authorized'] = false;
}
//validate the session address
if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) {
//session validate: use HTTP_USER_AGENT as a default value
if (!isset($conf['session.validate'])) {
$conf['session.validate'][] = 'HTTP_USER_AGENT';
}
//session validate: prepare the server array
foreach($conf['session.validate'] as $name) {
$server_array[$name] = $_SERVER[$name];
}
//session validate: check to see if the session is valid
if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', implode($server_array))) {
session_destroy();
header("Location: ".PROJECT_PATH."/logout.php");
}