From 16bee2ef55aceea2497ae110f9ce70a7bf02991f Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Sun, 2 Oct 2016 14:13:54 -0400 Subject: [PATCH] only generate auth hash if we are logged in --- web/includes/actions.php | 2 +- web/includes/functions.php | 29 +++++++++++++++++------------ 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/web/includes/actions.php b/web/includes/actions.php index 1c3f2b727..710221e45 100644 --- a/web/includes/actions.php +++ b/web/includes/actions.php @@ -60,7 +60,7 @@ if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS ) { if ( $authUser = getAuthUser( $_REQUEST['auth'] ) ) { userLogin( $authUser['Username'], $authUser['Password'], true ); } - } else { + } else if ( ! empty($user) ) { // generate it once here, while session is open. Value will be cached in session and return when called later on generateAuthHash( ZM_AUTH_HASH_IPS ); } diff --git a/web/includes/functions.php b/web/includes/functions.php index 8890cbf73..471224905 100644 --- a/web/includes/functions.php +++ b/web/includes/functions.php @@ -144,21 +144,26 @@ function generateAuthHash( $useRemoteAddr ) { if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == 'hashed' ) { # regenerate a hash at half the liftetime of a hash, an hour is 3600 so half is 1800 if ( ( $_SESSION['AuthHashGeneratedAt'] < time() - ( ZM_AUTH_HASH_TTL * 1800 ) ) or ! isset($_SESSION['AuthHash']) ) { - $time = localtime(); - if ( $useRemoteAddr ) { - $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; + if ( ! ( $_SESSION['username'] and $_SESSION['passwordHash'] ) ) { + Warning("Can't generate auth hash until we are logged in"); } else { - $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; + $time = localtime(); + if ( $useRemoteAddr ) { + $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; + } else { + $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; + } + $auth = md5( $authKey ); + if ( session_status() == PHP_SESSION_NONE ) { + Warning("Session is not active. AuthHash will not be cached."); + } + $_SESSION['AuthHash'] = $auth; + $_SESSION['AuthHashGeneratedAt'] = time(); + Debug("Generating new auth $auth at " . $_SESSION['AuthHashGeneratedAt']. " using $authKey" ); } - $auth = md5( $authKey ); - if ( session_status() == PHP_SESSION_NONE ) { - Warning("Session is not active. AuthHash will not be cached."); - } - $_SESSION['AuthHash'] = $auth; - $_SESSION['AuthHashGeneratedAt'] = time(); -Warning("Generating new auth $auth"); + } else { + Debug("Using auth " . $_SESSION['AuthHash'] ); } # end if AuthHash is not cached -Warning("Using auth " . $_SESSION['AuthHash'] ); return $_SESSION['AuthHash']; } else { $auth = "";