ONly close session if we opened it in generateAuthHash, only try to validate auth hash if it is set in the session

This commit is contained in:
Isaac Connor 2019-06-21 18:04:39 -04:00
parent 85b9b045cc
commit 38bcdbbffe
1 changed files with 6 additions and 3 deletions

View File

@ -263,7 +263,7 @@ function validateToken ($token, $allowed_token_type='access', $from_api_layer=fa
} // end function validateToken($token, $allowed_token_type='access')
function getAuthUser($auth, $from_api_layer = false) {
if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == 'hashed' && !empty($auth) ) {
if ( ZM_OPT_USE_AUTH && (ZM_AUTH_RELAY == 'hashed') && !empty($auth) ) {
$remoteAddr = '';
if ( ZM_AUTH_HASH_IPS ) {
$remoteAddr = $_SERVER['REMOTE_ADDR'];
@ -336,6 +336,7 @@ function generateAuthHash($useRemoteAddr, $force=false) {
}
$_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth;
$_SESSION['AuthHashGeneratedAt'] = $time;
if ( $close_session )
session_write_close();
#ZM\Logger::Debug("Generated new auth $auth at " . $_SESSION['AuthHashGeneratedAt']. " using $authKey" );
#} else {
@ -376,6 +377,7 @@ if ( ZM_OPT_USE_AUTH ) {
if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) {
# Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it.
# This prevent session modification to switch users
if ( $_SESSION['AuthHash'.$_SESSION['remoteAddr']] )
$user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]);
} else {
# Need to refresh permissions and validate that the user still exists
@ -396,6 +398,7 @@ if ( ZM_OPT_USE_AUTH ) {
}
} else if ( isset($_REQUEST['username']) and isset($_REQUEST['password']) ) {
userLogin($_REQUEST['username'], $_REQUEST['password'], false);
# Because it might have migrated the password we need to update the hash
generateAuthHash(ZM_AUTH_HASH_IPS, true);
}