ONly close session if we opened it in generateAuthHash, only try to validate auth hash if it is set in the session
This commit is contained in:
parent
85b9b045cc
commit
38bcdbbffe
|
@ -263,7 +263,7 @@ function validateToken ($token, $allowed_token_type='access', $from_api_layer=fa
|
||||||
} // end function validateToken($token, $allowed_token_type='access')
|
} // end function validateToken($token, $allowed_token_type='access')
|
||||||
|
|
||||||
function getAuthUser($auth, $from_api_layer = false) {
|
function getAuthUser($auth, $from_api_layer = false) {
|
||||||
if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == 'hashed' && !empty($auth) ) {
|
if ( ZM_OPT_USE_AUTH && (ZM_AUTH_RELAY == 'hashed') && !empty($auth) ) {
|
||||||
$remoteAddr = '';
|
$remoteAddr = '';
|
||||||
if ( ZM_AUTH_HASH_IPS ) {
|
if ( ZM_AUTH_HASH_IPS ) {
|
||||||
$remoteAddr = $_SERVER['REMOTE_ADDR'];
|
$remoteAddr = $_SERVER['REMOTE_ADDR'];
|
||||||
|
@ -336,6 +336,7 @@ function generateAuthHash($useRemoteAddr, $force=false) {
|
||||||
}
|
}
|
||||||
$_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth;
|
$_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth;
|
||||||
$_SESSION['AuthHashGeneratedAt'] = $time;
|
$_SESSION['AuthHashGeneratedAt'] = $time;
|
||||||
|
if ( $close_session )
|
||||||
session_write_close();
|
session_write_close();
|
||||||
#ZM\Logger::Debug("Generated new auth $auth at " . $_SESSION['AuthHashGeneratedAt']. " using $authKey" );
|
#ZM\Logger::Debug("Generated new auth $auth at " . $_SESSION['AuthHashGeneratedAt']. " using $authKey" );
|
||||||
#} else {
|
#} else {
|
||||||
|
@ -376,6 +377,7 @@ if ( ZM_OPT_USE_AUTH ) {
|
||||||
if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) {
|
if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) {
|
||||||
# Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it.
|
# Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it.
|
||||||
# This prevent session modification to switch users
|
# This prevent session modification to switch users
|
||||||
|
if ( $_SESSION['AuthHash'.$_SESSION['remoteAddr']] )
|
||||||
$user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]);
|
$user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]);
|
||||||
} else {
|
} else {
|
||||||
# Need to refresh permissions and validate that the user still exists
|
# Need to refresh permissions and validate that the user still exists
|
||||||
|
@ -396,6 +398,7 @@ if ( ZM_OPT_USE_AUTH ) {
|
||||||
}
|
}
|
||||||
} else if ( isset($_REQUEST['username']) and isset($_REQUEST['password']) ) {
|
} else if ( isset($_REQUEST['username']) and isset($_REQUEST['password']) ) {
|
||||||
userLogin($_REQUEST['username'], $_REQUEST['password'], false);
|
userLogin($_REQUEST['username'], $_REQUEST['password'], false);
|
||||||
|
# Because it might have migrated the password we need to update the hash
|
||||||
generateAuthHash(ZM_AUTH_HASH_IPS, true);
|
generateAuthHash(ZM_AUTH_HASH_IPS, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue