[Web] Various session fixes

master
andryyy 2019-02-04 22:34:03 +01:00
parent 635e694ffa
commit a599536499
No known key found for this signature in database
GPG Key ID: 8EC34FF2794E25EF
1 changed files with 35 additions and 6 deletions

View File

@ -1,22 +1,31 @@
<?php <?php
// Start session // Start session
ini_set("session.cookie_httponly", 1); if (session_status() !== PHP_SESSION_ACTIVE) {
ini_set('session.gc_maxlifetime', $SESSION_LIFETIME); ini_set("session.cookie_httponly", 1);
ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
}
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") { strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
if (session_status() !== PHP_SESSION_ACTIVE) {
ini_set("session.cookie_secure", 1); ini_set("session.cookie_secure", 1);
}
$IS_HTTPS = true; $IS_HTTPS = true;
} }
elseif (isset($_SERVER['HTTPS'])) { elseif (isset($_SERVER['HTTPS'])) {
if (session_status() !== PHP_SESSION_ACTIVE) {
ini_set("session.cookie_secure", 1); ini_set("session.cookie_secure", 1);
}
$IS_HTTPS = true; $IS_HTTPS = true;
} }
else { else {
$IS_HTTPS = false; $IS_HTTPS = false;
} }
// session_set_cookie_params($SESSION_LIFETIME, '/', '', $IS_HTTPS, true); // session_set_cookie_params($SESSION_LIFETIME, '/', '', $IS_HTTPS, true);
session_start(); if (session_status() !== PHP_SESSION_ACTIVE) {
session_start();
}
if (!isset($_SESSION['CSRF']['TOKEN'])) { if (!isset($_SESSION['CSRF']['TOKEN'])) {
$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32)); $_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
} }
@ -41,6 +50,26 @@ if (!empty($_SERVER['HTTP_X_API_KEY'])) {
$_SESSION['mailcow_cc_role'] = 'admin'; $_SESSION['mailcow_cc_role'] = 'admin';
$_SESSION['mailcow_cc_api'] = true; $_SESSION['mailcow_cc_api'] = true;
} }
else {
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
echo json_encode(array(
'type' => 'error',
'msg' => 'api access denied for ip ' . $_SERVER['REMOTE_ADDR']
));
unset($_POST);
die();
}
}
else {
$redis->publish("F2B_CHANNEL", "mailcow UI: Invalid password for API_USER by " . $_SERVER['REMOTE_ADDR']);
error_log("mailcow UI: Invalid password for " . $user . " by " . $_SERVER['REMOTE_ADDR']);
echo json_encode(array(
'type' => 'error',
'msg' => 'authentication failed'
));
unset($_POST);
die();
} }
} }
// Update session cookie // Update session cookie
@ -48,7 +77,7 @@ if (!empty($_SERVER['HTTP_X_API_KEY'])) {
// Check session // Check session
function session_check() { function session_check() {
if ($_SESSION['mailcow_cc_api'] === true) { if (isset($_SESSION['mailcow_cc_api']) && $_SESSION['mailcow_cc_api'] === true) {
return true; return true;
} }
if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) { if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {