mailcow/data/web/inc/sessions.inc.php

<?php
// Start session
if (session_status() !== PHP_SESSION_ACTIVE) {
  ini_set("session.cookie_httponly", 1);
  ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
}

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && 
  strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
  if (session_status() !== PHP_SESSION_ACTIVE) {
    ini_set("session.cookie_secure", 1);
  }
  $IS_HTTPS = true;
}
elseif (isset($_SERVER['HTTPS'])) {
  if (session_status() !== PHP_SESSION_ACTIVE) {
    ini_set("session.cookie_secure", 1);
  }
  $IS_HTTPS = true;
}
else {
  $IS_HTTPS = false;
}

if (session_status() !== PHP_SESSION_ACTIVE) {
  session_start();
}

if (!isset($_SESSION['CSRF']['TOKEN'])) {
  $_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
}

// Set session UA
if (!isset($_SESSION['SESS_REMOTE_UA'])) {
  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
}

// Keep session active
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
  session_unset();
  session_destroy();
}
$_SESSION['LAST_ACTIVITY'] = time();

// API
if (!empty($_SERVER['HTTP_X_API_KEY'])) {
  $stmt = $pdo->prepare("SELECT `allow_from` FROM `api` WHERE `api_key` = :api_key AND `active` = '1';");
  $stmt->execute(array(
    ':api_key' => preg_replace('/[^a-zA-Z0-9-]/', '', $_SERVER['HTTP_X_API_KEY'])
  ));
  $api_return = $stmt->fetch(PDO::FETCH_ASSOC);
  if (!empty($api_return['allow_from'])) {
    $remote = get_remote_ip(false);
    $allow_from = array_map('trim', preg_split( "/( |,|;|\n)/", $api_return['allow_from']));
    if (in_array($remote, $allow_from)) {
      $_SESSION['mailcow_cc_username'] = 'API';
      $_SESSION['mailcow_cc_role'] = 'admin';
      $_SESSION['mailcow_cc_api'] = true;
    }
    else {
      $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
      error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
      http_response_code(401);
      echo json_encode(array(
        'type' => 'error',
        'msg' => 'api access denied for ip ' . $_SERVER['REMOTE_ADDR']
      ));
      unset($_POST);
      die();
    }
  }
  else {
    $redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
    error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
    http_response_code(401);
    echo json_encode(array(
      'type' => 'error',
      'msg' => 'authentication failed'
    ));
    unset($_POST);
    die();
  }
}

// Handle logouts
if (isset($_POST["logout"])) {
  if (isset($_SESSION["dual-login"])) {
    $_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
    $_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
    unset($_SESSION["dual-login"]);
    header("Location: /mailbox");
    exit();
  }
  else {
    session_regenerate_id(true);
    session_unset();
    session_destroy();
    session_write_close();
    header("Location: /");
  }
}

// Check session
function session_check() {
  if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) {
    return true;
  }
  if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
    $_SESSION['return'][] = array(
      'type' => 'warning',
      'msg' => 'session_ua'
    );
    return false;
  }
  if (!empty($_POST)) {
    if ($_SESSION['CSRF']['TOKEN'] != $_POST['csrf_token']) {
      $_SESSION['return'][] = array(
        'type' => 'warning',
        'msg' => 'session_token'
      );
      return false;
    }
    unset($_POST['csrf_token']);
    $_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
    $_SESSION['CSRF']['TIME'] = time();
  }
  return true;
}

if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
  $_POST = array();
  $_FILES = array();
}
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`<?php`
			`// Start session`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`if (session_status() !== PHP_SESSION_ACTIVE) {`
			`ini_set("session.cookie_httponly", 1);`
			`ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);`
			`}`
[Web] Initial ratelimit support, more API actions 2017-07-16 17:03:28 +08:00
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&`
			`strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`if (session_status() !== PHP_SESSION_ACTIVE) {`
			`ini_set("session.cookie_secure", 1);`
			`}`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`$IS_HTTPS = true;`
			`}`
			`elseif (isset($_SERVER['HTTPS'])) {`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`if (session_status() !== PHP_SESSION_ACTIVE) {`
			`ini_set("session.cookie_secure", 1);`
			`}`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`$IS_HTTPS = true;`
			`}`
			`else {`
			`$IS_HTTPS = false;`
			`}`
[Web] Change session timeout handling [Rspamd] Add missing spamassassin.conf 2019-04-14 19:01:40 +08:00
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`if (session_status() !== PHP_SESSION_ACTIVE) {`
			`session_start();`
			`}`

CSRF protection 2017-05-15 17:37:12 +08:00			`if (!isset($_SESSION['CSRF']['TOKEN'])) {`
			`$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`}`

Remove ip from session check 2017-05-19 01:45:41 +08:00			`// Set session UA`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`if (!isset($_SESSION['SESS_REMOTE_UA'])) {`
			`$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];`
			`}`

[Web] Change session timeout handling [Rspamd] Add missing spamassassin.conf 2019-04-14 19:01:40 +08:00			`// Keep session active`
			`if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {`
			`session_unset();`
			`session_destroy();`
			`}`
			`$_SESSION['LAST_ACTIVITY'] = time();`

Various... 2017-12-09 20:17:15 +08:00			`// API`
			`if (!empty($_SERVER['HTTP_X_API_KEY'])) {`
[Web] Fix require_once to always include document root [Web] Add system mails (send mails to all mailboxes via LMTP) [Web] Allow to add more administrators [Web] Fix domain administrator editing [Web] Remove some foreign keys [Web] Remove username from API [Web] Remove more .php extension from code [Web] More minor fixes 2018-10-11 17:59:23 +08:00			$stmt = $pdo->prepare("SELECT `allow_from` FROM `api` WHERE `api_key` = :api_key AND `active` = '1';");
Various... 2017-12-09 20:17:15 +08:00			`$stmt->execute(array(`
[Web] Fix require_once to always include document root [Web] Add system mails (send mails to all mailboxes via LMTP) [Web] Allow to add more administrators [Web] Fix domain administrator editing [Web] Remove some foreign keys [Web] Remove username from API [Web] Remove more .php extension from code [Web] More minor fixes 2018-10-11 17:59:23 +08:00			`':api_key' => preg_replace('/[^a-zA-Z0-9-]/', '', $_SERVER['HTTP_X_API_KEY'])`
Various... 2017-12-09 20:17:15 +08:00			`));`
			`$api_return = $stmt->fetch(PDO::FETCH_ASSOC);`
[Web] Fix API 2018-10-17 02:09:01 +08:00			`if (!empty($api_return['allow_from'])) {`
[Web] Fix log line handling [Web] Add mailcow UI logs [Web] Changes to _SESSION['return'] logic and logger (more to come) [Web] Show last login [Web, Postfix] Allow to disable sender check completely [Web] Many minor fixes [Web] Update some libs 2018-08-04 02:31:33 +08:00			`$remote = get_remote_ip(false);`
			`$allow_from = array_map('trim', preg_split( "/( \|,\|;\|\n)/", $api_return['allow_from']));`
			`if (in_array($remote, $allow_from)) {`
[Web] Fix require_once to always include document root [Web] Add system mails (send mails to all mailboxes via LMTP) [Web] Allow to add more administrators [Web] Fix domain administrator editing [Web] Remove some foreign keys [Web] Remove username from API [Web] Remove more .php extension from code [Web] More minor fixes 2018-10-11 17:59:23 +08:00			`$_SESSION['mailcow_cc_username'] = 'API';`
Various... 2017-12-09 20:17:15 +08:00			`$_SESSION['mailcow_cc_role'] = 'admin';`
			`$_SESSION['mailcow_cc_api'] = true;`
			`}`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`else {`
			`$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);`
			`error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);`
[Web] Return 401 status code when API authentication fails 2019-10-02 19:05:12 +08:00			`http_response_code(401);`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`echo json_encode(array(`
			`'type' => 'error',`
			`'msg' => 'api access denied for ip ' . $_SERVER['REMOTE_ADDR']`
			`));`
			`unset($_POST);`
			`die();`
			`}`
			`}`
			`else {`
			`$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);`
			`error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);`
[Web] Return 401 status code when API authentication fails 2019-10-02 19:05:12 +08:00			`http_response_code(401);`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`echo json_encode(array(`
			`'type' => 'error',`
			`'msg' => 'authentication failed'`
			`));`
			`unset($_POST);`
			`die();`
Various... 2017-12-09 20:17:15 +08:00			`}`
			`}`
[Web] Fix session timeout 2017-07-27 05:09:50 +08:00
[Web] Allow logout with broken session [Web] Try to set aria hidden to false when a modal opens 2019-03-25 19:33:58 +08:00			`// Handle logouts`
			`if (isset($_POST["logout"])) {`
			`if (isset($_SESSION["dual-login"])) {`
			`$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];`
			`$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];`
			`unset($_SESSION["dual-login"]);`
			`header("Location: /mailbox");`
			`exit();`
			`}`
			`else {`
			`session_regenerate_id(true);`
			`session_unset();`
			`session_destroy();`
			`session_write_close();`
			`header("Location: /");`
			`}`
			`}`

Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`// Check session`
			`function session_check() {`
[Web] Various session fixes 2019-02-05 05:34:03 +08:00			`if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) {`
Various... 2017-12-09 20:17:15 +08:00			`return true;`
			`}`
[Web] Fix log line handling [Web] Add mailcow UI logs [Web] Changes to _SESSION['return'] logic and logger (more to come) [Web] Show last login [Web, Postfix] Allow to disable sender check completely [Web] Many minor fixes [Web] Update some libs 2018-08-04 02:31:33 +08:00			`if (!isset($_SESSION['SESS_REMOTE_UA']) \|\| ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {`
[Web] Fixes for BCC map input fields [Web] Allow to edit alias address [Web] $_SESSION['return'] now contains arrays and allows multiple returned messages and log entries [Web] Some language string changes [Web] General SQL exception handler, remove all try catch handlers [Web] Alias table now has an ID as primary key [Web] Be more aggressive with localStorage cleaning 2018-08-14 05:20:40 +08:00			`$_SESSION['return'][] = array(`
[Web] Fix log line handling [Web] Add mailcow UI logs [Web] Changes to _SESSION['return'] logic and logger (more to come) [Web] Show last login [Web, Postfix] Allow to disable sender check completely [Web] Many minor fixes [Web] Update some libs 2018-08-04 02:31:33 +08:00			`'type' => 'warning',`
			`'msg' => 'session_ua'`
			`);`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`return false;`
			`}`
CSRF protection 2017-05-15 17:37:12 +08:00			`if (!empty($_POST)) {`
			`if ($_SESSION['CSRF']['TOKEN'] != $_POST['csrf_token']) {`
[Web] Fixes for BCC map input fields [Web] Allow to edit alias address [Web] $_SESSION['return'] now contains arrays and allows multiple returned messages and log entries [Web] Some language string changes [Web] General SQL exception handler, remove all try catch handlers [Web] Alias table now has an ID as primary key [Web] Be more aggressive with localStorage cleaning 2018-08-14 05:20:40 +08:00			`$_SESSION['return'][] = array(`
[Web] Fix log line handling [Web] Add mailcow UI logs [Web] Changes to _SESSION['return'] logic and logger (more to come) [Web] Show last login [Web, Postfix] Allow to disable sender check completely [Web] Many minor fixes [Web] Update some libs 2018-08-04 02:31:33 +08:00			`'type' => 'warning',`
			`'msg' => 'session_token'`
			`);`
CSRF protection 2017-05-15 17:37:12 +08:00			`return false;`
			`}`
[Web] Fix log line handling [Web] Add mailcow UI logs [Web] Changes to _SESSION['return'] logic and logger (more to come) [Web] Show last login [Web, Postfix] Allow to disable sender check completely [Web] Many minor fixes [Web] Update some libs 2018-08-04 02:31:33 +08:00			`unset($_POST['csrf_token']);`
CSRF protection 2017-05-15 17:37:12 +08:00			`$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));`
			`$_SESSION['CSRF']['TIME'] = time();`
			`}`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`return true;`
			`}`
CSRF protection 2017-05-15 17:37:12 +08:00
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {`
CSRF protection 2017-05-15 17:37:12 +08:00			`$_POST = array();`
[Web] Customize app menu and logo; Fix #671 2017-10-21 16:07:06 +08:00			`$_FILES = array();`
Add OWASP CSRF Protector, add more secure session handling 2017-05-07 19:38:31 +08:00			`}`