From fab87c2696b9d6a26310f1bfc024b018ca5184fe Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 27 Apr 2018 22:12:22 +0200 Subject: Move LoginManager and SessionManager to the Security namespace Signed-off-by: VirtualTam --- application/security/LoginManager.php | 238 ++++++++++++++++++++++++++++++++ application/security/SessionManager.php | 179 ++++++++++++++++++++++++ 2 files changed, 417 insertions(+) create mode 100644 application/security/LoginManager.php create mode 100644 application/security/SessionManager.php (limited to 'application/security') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php new file mode 100644 index 00000000..e7b9b21e --- /dev/null +++ b/application/security/LoginManager.php @@ -0,0 +1,238 @@ +globals = &$globals; + $this->configManager = $configManager; + $this->sessionManager = $sessionManager; + $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); + $this->readBanFile(); + if ($this->configManager->get('security.open_shaarli')) { + $this->openShaarli = true; + } + } + + /** + * Check user session state and validity (expiration) + * + * @param array $cookie The $_COOKIE array + * @param string $webPath Path on the server in which the cookie will be available on + * @param string $clientIpId Client IP address identifier + * @param string $token Session token + * + * @return bool true if the user session is valid, false otherwise + */ + public function checkLoginState($cookie, $webPath, $clientIpId, $token) + { + if (! $this->configManager->exists('credentials.login')) { + // Shaarli is not configured yet + $this->isLoggedIn = false; + return; + } + + if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) + && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + ) { + $this->sessionManager->storeLoginInfo($clientIpId); + $this->isLoggedIn = true; + } + + if ($this->sessionManager->hasSessionExpired() + || $this->sessionManager->hasClientIpChanged($clientIpId) + ) { + $this->sessionManager->logout($webPath); + $this->isLoggedIn = false; + return; + } + + $this->sessionManager->extendSession(); + } + + /** + * Return whether the user is currently logged in + * + * @return true when the user is logged in, false otherwise + */ + public function isLoggedIn() + { + if ($this->openShaarli) { + return true; + } + return $this->isLoggedIn; + } + + /** + * Check user credentials are valid + * + * @param string $remoteIp Remote client IP address + * @param string $clientIpId Client IP address identifier + * @param string $login Username + * @param string $password Password + * + * @return bool true if the provided credentials are valid, false otherwise + */ + public function checkCredentials($remoteIp, $clientIpId, $login, $password) + { + $hash = sha1($password . $login . $this->configManager->get('credentials.salt')); + + if ($login != $this->configManager->get('credentials.login') + || $hash != $this->configManager->get('credentials.hash') + ) { + logm( + $this->configManager->get('resource.log'), + $remoteIp, + 'Login failed for user ' . $login + ); + return false; + } + + $this->sessionManager->storeLoginInfo($clientIpId); + logm( + $this->configManager->get('resource.log'), + $remoteIp, + 'Login successful' + ); + return true; + } + + /** + * Read a file containing banned IPs + */ + protected function readBanFile() + { + if (! file_exists($this->banFile)) { + return; + } + include $this->banFile; + } + + /** + * Write the banned IPs to a file + */ + protected function writeBanFile() + { + if (! array_key_exists('IPBANS', $this->globals)) { + return; + } + file_put_contents( + $this->banFile, + "globals['IPBANS'], true) . ";\n?>" + ); + } + + /** + * Handle a failed login and ban the IP after too many failed attempts + * + * @param array $server The $_SERVER array + */ + public function handleFailedLogin($server) + { + $ip = $server['REMOTE_ADDR']; + $trusted = $this->configManager->get('security.trusted_proxies', []); + + if (in_array($ip, $trusted)) { + $ip = getIpAddressFromProxy($server, $trusted); + if (! $ip) { + // the IP is behind a trusted forward proxy, but is not forwarded + // in the HTTP headers, so we do nothing + return; + } + } + + // increment the fail count for this IP + if (isset($this->globals['IPBANS']['FAILURES'][$ip])) { + $this->globals['IPBANS']['FAILURES'][$ip]++; + } else { + $this->globals['IPBANS']['FAILURES'][$ip] = 1; + } + + if ($this->globals['IPBANS']['FAILURES'][$ip] >= $this->configManager->get('security.ban_after')) { + $this->globals['IPBANS']['BANS'][$ip] = time() + $this->configManager->get('security.ban_duration', 1800); + logm( + $this->configManager->get('resource.log'), + $server['REMOTE_ADDR'], + 'IP address banned from login' + ); + } + $this->writeBanFile(); + } + + /** + * Handle a successful login + * + * @param array $server The $_SERVER array + */ + public function handleSuccessfulLogin($server) + { + $ip = $server['REMOTE_ADDR']; + // FIXME unban when behind a trusted proxy? + + unset($this->globals['IPBANS']['FAILURES'][$ip]); + unset($this->globals['IPBANS']['BANS'][$ip]); + + $this->writeBanFile(); + } + + /** + * Check if the user can login from this IP + * + * @param array $server The $_SERVER array + * + * @return bool true if the user is allowed to login + */ + public function canLogin($server) + { + $ip = $server['REMOTE_ADDR']; + + if (! isset($this->globals['IPBANS']['BANS'][$ip])) { + // the user is not banned + return true; + } + + if ($this->globals['IPBANS']['BANS'][$ip] > time()) { + // the user is still banned + return false; + } + + // the ban has expired, the user can attempt to log in again + logm($this->configManager->get('resource.log'), $server['REMOTE_ADDR'], 'Ban lifted.'); + unset($this->globals['IPBANS']['FAILURES'][$ip]); + unset($this->globals['IPBANS']['BANS'][$ip]); + + $this->writeBanFile(); + return true; + } +} diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php new file mode 100644 index 00000000..6f004b24 --- /dev/null +++ b/application/security/SessionManager.php @@ -0,0 +1,179 @@ +session = &$session; + $this->conf = $conf; + } + + /** + * Generates a session token + * + * @return string token + */ + public function generateToken() + { + $token = sha1(uniqid('', true) .'_'. mt_rand() . $this->conf->get('credentials.salt')); + $this->session['tokens'][$token] = 1; + return $token; + } + + /** + * Checks the validity of a session token, and destroys it afterwards + * + * @param string $token The token to check + * + * @return bool true if the token is valid, else false + */ + public function checkToken($token) + { + if (! isset($this->session['tokens'][$token])) { + // the token is wrong, or has already been used + return false; + } + + // destroy the token to prevent future use + unset($this->session['tokens'][$token]); + return true; + } + + /** + * Validate session ID to prevent Full Path Disclosure. + * + * See #298. + * The session ID's format depends on the hash algorithm set in PHP settings + * + * @param string $sessionId Session ID + * + * @return true if valid, false otherwise. + * + * @see http://php.net/manual/en/function.hash-algos.php + * @see http://php.net/manual/en/session.configuration.php + */ + public static function checkId($sessionId) + { + if (empty($sessionId)) { + return false; + } + + if (!$sessionId) { + return false; + } + + if (!preg_match('/^[a-zA-Z0-9,-]{2,128}$/', $sessionId)) { + return false; + } + + return true; + } + + /** + * Store user login information after a successful login + * + * @param string $clientIpId Client IP address identifier + */ + public function storeLoginInfo($clientIpId) + { + // Generate unique random number (different than phpsessionid) + $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); + $this->session['ip'] = $clientIpId; + $this->session['username'] = $this->conf->get('credentials.login'); + $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; + } + + /** + * Extend session validity + */ + public function extendSession() + { + if (! empty($this->session['longlastingsession'])) { + // "Stay signed in" is enabled + $this->session['expires_on'] = time() + $this->session['longlastingsession']; + return; + } + $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; + } + + /** + * Logout a user by unsetting all login information + * + * See: + * - https://secure.php.net/manual/en/function.setcookie.php + * + * @param string $webPath path on the server in which the cookie will be available on + */ + public function logout($webPath) + { + if (isset($this->session)) { + unset($this->session['uid']); + unset($this->session['ip']); + unset($this->session['username']); + unset($this->session['visibility']); + unset($this->session['untaggedonly']); + } + setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); + } + + /** + * Check whether the session has expired + * + * @param string $clientIpId Client IP address identifier + * + * @return bool true if the session has expired, false otherwise + */ + public function hasSessionExpired() + { + if (empty($this->session['uid'])) { + return true; + } + if (time() >= $this->session['expires_on']) { + return true; + } + return false; + } + + /** + * Check whether the client IP address has changed + * + * @param string $clientIpId Client IP address identifier + * + * @return bool true if the IP has changed, false if it has not, or + * if session protection has been disabled + */ + public function hasClientIpChanged($clientIpId) + { + if ($this->conf->get('security.session_protection_disabled') === true) { + return false; + } + if ($this->session['ip'] == $clientIpId) { + return false; + } + return true; + } +} -- cgit v1.2.3 From 51f0128cdba52099c40693379e72f094b42a6f80 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Fri, 27 Apr 2018 23:17:38 +0200 Subject: Refactor session and cookie timeout control Signed-off-by: VirtualTam --- application/security/LoginManager.php | 5 ++-- application/security/SessionManager.php | 48 +++++++++++++++++++++++++-------- 2 files changed, 39 insertions(+), 14 deletions(-) (limited to 'application/security') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index e7b9b21e..27247f3f 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -49,13 +49,12 @@ class LoginManager * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array - * @param string $webPath Path on the server in which the cookie will be available on * @param string $clientIpId Client IP address identifier * @param string $token Session token * * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $webPath, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId, $token) { if (! $this->configManager->exists('credentials.login')) { // Shaarli is not configured yet @@ -73,7 +72,7 @@ class LoginManager if ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { - $this->sessionManager->logout($webPath); + $this->sessionManager->logout(); $this->isLoggedIn = false; return; } diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 6f004b24..0dcd7f90 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php @@ -9,7 +9,10 @@ use Shaarli\Config\ConfigManager; class SessionManager { /** @var int Session expiration timeout, in seconds */ - public static $INACTIVITY_TIMEOUT = 3600; + public static $SHORT_TIMEOUT = 3600; // 1 hour + + /** @var int Session expiration timeout, in seconds */ + public static $LONG_TIMEOUT = 31536000; // 1 year /** @var string Name of the cookie set after logging in **/ public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; @@ -20,6 +23,9 @@ class SessionManager /** @var ConfigManager Configuration Manager instance **/ protected $conf = null; + /** @var bool Whether the user should stay signed in (LONG_TIMEOUT) */ + protected $staySignedIn = false; + /** * Constructor * @@ -32,6 +38,16 @@ class SessionManager $this->conf = $conf; } + /** + * Define whether the user should stay signed in across browser sessions + * + * @param bool $staySignedIn Keep the user signed in + */ + public function setStaySignedIn($staySignedIn) + { + $this->staySignedIn = $staySignedIn; + } + /** * Generates a session token * @@ -104,7 +120,7 @@ class SessionManager $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); $this->session['ip'] = $clientIpId; $this->session['username'] = $this->conf->get('credentials.login'); - $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; + $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); } /** @@ -112,12 +128,24 @@ class SessionManager */ public function extendSession() { - if (! empty($this->session['longlastingsession'])) { - // "Stay signed in" is enabled - $this->session['expires_on'] = time() + $this->session['longlastingsession']; - return; + if ($this->staySignedIn) { + return $this->extendTimeValidityBy(self::$LONG_TIMEOUT); } - $this->session['expires_on'] = time() + self::$INACTIVITY_TIMEOUT; + return $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); + } + + /** + * Extend expiration time + * + * @param int $duration Expiration time extension (seconds) + * + * @return int New session expiration time + */ + protected function extendTimeValidityBy($duration) + { + $expirationTime = time() + $duration; + $this->session['expires_on'] = $expirationTime; + return $expirationTime; } /** @@ -125,19 +153,17 @@ class SessionManager * * See: * - https://secure.php.net/manual/en/function.setcookie.php - * - * @param string $webPath path on the server in which the cookie will be available on */ - public function logout($webPath) + public function logout() { if (isset($this->session)) { unset($this->session['uid']); unset($this->session['ip']); + unset($this->session['expires_on']); unset($this->session['username']); unset($this->session['visibility']); unset($this->session['untaggedonly']); } - setcookie(self::$LOGGED_IN_COOKIE, 'false', 0, $webPath); } /** -- cgit v1.2.3 From c689e108639a4f6aa9e15928422e14db7cbe30ca Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sun, 6 May 2018 17:06:36 +0200 Subject: Refactor LoginManager stay-signed-in token management Signed-off-by: VirtualTam --- application/security/LoginManager.php | 37 +++++++++++++++++++++++++++++---- application/security/SessionManager.php | 3 --- 2 files changed, 33 insertions(+), 7 deletions(-) (limited to 'application/security') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 27247f3f..41fa9a20 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -8,6 +8,9 @@ use Shaarli\Config\ConfigManager; */ class LoginManager { + /** @var string Name of the cookie set after logging in **/ + public static $STAY_SIGNED_IN_COOKIE = 'shaarli_staySignedIn'; + /** @var array A reference to the $_GLOBALS array */ protected $globals = []; @@ -26,6 +29,9 @@ class LoginManager /** @var bool Whether the Shaarli instance is open to public edition **/ protected $openShaarli = false; + /** @var string User sign-in token depending on remote IP and credentials */ + protected $staySignedInToken = ''; + /** * Constructor * @@ -45,16 +51,39 @@ class LoginManager } } + /** + * Generate a token depending on deployment salt, user password and client IP + * + * @param string $clientIpAddress The remote client IP address + */ + public function generateStaySignedInToken($clientIpAddress) + { + $this->staySignedInToken = sha1( + $this->configManager->get('credentials.hash') + . $clientIpAddress + . $this->configManager->get('credentials.salt') + ); + } + + /** + * Return the user's client stay-signed-in token + * + * @return string User's client stay-signed-in token + */ + public function getStaySignedInToken() + { + return $this->staySignedInToken; + } + /** * Check user session state and validity (expiration) * * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier - * @param string $token Session token * * @return bool true if the user session is valid, false otherwise */ - public function checkLoginState($cookie, $clientIpId, $token) + public function checkLoginState($cookie, $clientIpId) { if (! $this->configManager->exists('credentials.login')) { // Shaarli is not configured yet @@ -62,8 +91,8 @@ class LoginManager return; } - if (isset($cookie[SessionManager::$LOGGED_IN_COOKIE]) - && $cookie[SessionManager::$LOGGED_IN_COOKIE] === $token + if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) + && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { $this->sessionManager->storeLoginInfo($clientIpId); $this->isLoggedIn = true; diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 0dcd7f90..58973130 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php @@ -14,9 +14,6 @@ class SessionManager /** @var int Session expiration timeout, in seconds */ public static $LONG_TIMEOUT = 31536000; // 1 year - /** @var string Name of the cookie set after logging in **/ - public static $LOGGED_IN_COOKIE = 'shaarli_staySignedIn'; - /** @var array Local reference to the global $_SESSION array */ protected $session = []; -- cgit v1.2.3 From ebf615173824a46de82fa97a165bcfd883db15ce Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Thu, 10 May 2018 13:07:51 +0200 Subject: SessionManager: remove unused UID token MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There already are dedicated tokens for: - CSRF protection - user stay-signed-in feature, via cookie This token was most likely intended as a randomly generated, server-side, secret key to be used when generating hashes. See http://sebsauvage.net/wiki/doku.php?id=php:session [FR] Relevant section: Une clé secrète unique aléatoire est générée côté serveur (et jamais envoyée). Elle peut servir pour signer les formulaires (HMAC) ou générer des token de formulaires (protection contre XSRF). Voir $_SESSION['uid']. Translation: A unique, server-side secret key is randomly generated (and never transmitted). It can be used to sign forms (HMAC) or generate form tokens (protection against XSRF). See $_SESSION['uid'] Signed-off-by: VirtualTam --- application/security/SessionManager.php | 6 ------ 1 file changed, 6 deletions(-) (limited to 'application/security') diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 58973130..24e25528 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php @@ -113,8 +113,6 @@ class SessionManager */ public function storeLoginInfo($clientIpId) { - // Generate unique random number (different than phpsessionid) - $this->session['uid'] = sha1(uniqid('', true) . '_' . mt_rand()); $this->session['ip'] = $clientIpId; $this->session['username'] = $this->conf->get('credentials.login'); $this->extendTimeValidityBy(self::$SHORT_TIMEOUT); @@ -154,7 +152,6 @@ class SessionManager public function logout() { if (isset($this->session)) { - unset($this->session['uid']); unset($this->session['ip']); unset($this->session['expires_on']); unset($this->session['username']); @@ -172,9 +169,6 @@ class SessionManager */ public function hasSessionExpired() { - if (empty($this->session['uid'])) { - return true; - } if (time() >= $this->session['expires_on']) { return true; } -- cgit v1.2.3 From 704637bfebc73ada4b800b35c457e9fe56ad3567 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sun, 6 May 2018 17:12:48 +0200 Subject: Add test coverage for LoginManager methods Signed-off-by: VirtualTam --- application/security/LoginManager.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'application/security') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 41fa9a20..4946850b 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -46,7 +46,7 @@ class LoginManager $this->sessionManager = $sessionManager; $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php'); $this->readBanFile(); - if ($this->configManager->get('security.open_shaarli')) { + if ($this->configManager->get('security.open_shaarli') === true) { $this->openShaarli = true; } } @@ -80,8 +80,6 @@ class LoginManager * * @param array $cookie The $_COOKIE array * @param string $clientIpId Client IP address identifier - * - * @return bool true if the user session is valid, false otherwise */ public function checkLoginState($cookie, $clientIpId) { @@ -94,11 +92,12 @@ class LoginManager if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE]) && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken ) { + // The user client has a valid stay-signed-in cookie + // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); $this->isLoggedIn = true; - } - if ($this->sessionManager->hasSessionExpired() + } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) ) { $this->sessionManager->logout(); -- cgit v1.2.3 From 8edd7f15886620b07064aa889aea05c5acbc0e58 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Wed, 30 May 2018 02:09:09 +0200 Subject: SessionManager+LoginManager: fix checkLoginState logic Signed-off-by: VirtualTam --- application/security/LoginManager.php | 2 +- application/security/SessionManager.php | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'application/security') diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 4946850b..d6784d6d 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php @@ -95,7 +95,6 @@ class LoginManager // The user client has a valid stay-signed-in cookie // Session information is updated with the current client information $this->sessionManager->storeLoginInfo($clientIpId); - $this->isLoggedIn = true; } elseif ($this->sessionManager->hasSessionExpired() || $this->sessionManager->hasClientIpChanged($clientIpId) @@ -105,6 +104,7 @@ class LoginManager return; } + $this->isLoggedIn = true; $this->sessionManager->extendSession(); } diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 24e25528..b8b8ab8d 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php @@ -169,6 +169,9 @@ class SessionManager */ public function hasSessionExpired() { + if (empty($this->session['expires_on'])) { + return true; + } if (time() >= $this->session['expires_on']) { return true; } @@ -188,7 +191,7 @@ class SessionManager if ($this->conf->get('security.session_protection_disabled') === true) { return false; } - if ($this->session['ip'] == $clientIpId) { + if (isset($this->session['ip']) && $this->session['ip'] === $clientIpId) { return false; } return true; -- cgit v1.2.3