From 1e56e750cf689e3b158deb71652fb8aa02653ab5 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 30 Jan 2019 11:04:38 -0500 Subject: [PATCH 1/5] Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini --- scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in index fa7b86079..5378a25d0 100644 --- a/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in +++ b/scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in @@ -3941,6 +3941,13 @@ our @options = ( type => $types{string}, category => 'mail', }, + { + name => 'ZM_COOKIE_LIFETIME', + default => '3600', + description => q`The maximum life of a COOKIE used when setting up PHP's session handler. This will affect how long a session will be valid for since the last request. Keeping this short helps prevent session hijacking. Keeping it long allows you to stay logged in longer without refreshing the view.`, + type => $types{integer}, + category => 'system', + } ); our %options_hash = map { ( $_->{name}, $_ ) } @options; From 85bb70df6831a9f00027da05b65e73c498b012c4 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 30 Jan 2019 11:05:19 -0500 Subject: [PATCH 2/5] Use zm specific session functions, which are now located in includes/session.php. Be more agressive about clearing session on logout. --- web/includes/auth.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/web/includes/auth.php b/web/includes/auth.php index c74c13b80..edc9ecdc7 100644 --- a/web/includes/auth.php +++ b/web/includes/auth.php @@ -93,7 +93,7 @@ function userLogin($username='', $password='', $passwordHashed=false) { if ( ZM_AUTH_TYPE == 'builtin' ) { $_SESSION['passwordHash'] = $user['Password']; } - session_regenerate_id(); + zm_session_regenerate_id(); } else { Warning("Login denied for user \"$username\""); $_SESSION['loginFailed'] = true; @@ -107,9 +107,15 @@ function userLogin($username='', $password='', $passwordHashed=false) { function userLogout() { global $user; Info('User "'.$user['Username'].'" logged out'); - session_start(); - unset($_SESSION['user']); unset($user); + session_start(); + $_SESSION = array(); + if ( ini_get('session.use_cookies') ) { + $p = session_get_cookie_params(); + # Update the cookie to expire in the past. + setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']); + } + session_unset(); session_destroy(); } From 4e9ce3c5b70b26c9e056e9e7aa0276d85211c9c5 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 30 Jan 2019 11:05:36 -0500 Subject: [PATCH 3/5] Move session code to includes/session.php --- web/index.php | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/web/index.php b/web/index.php index 5190fad65..736ee4af5 100644 --- a/web/index.php +++ b/web/index.php @@ -44,6 +44,7 @@ if ( false ) { } require_once('includes/config.php'); +require_once('includes/session.php'); require_once('includes/logger.php'); require_once('includes/Server.php'); require_once('includes/Storage.php'); @@ -114,19 +115,7 @@ if ( !file_exists(ZM_SKIN_PATH) ) Fatal("Invalid skin '$skin'"); $skinBase[] = $skin; -$currentCookieParams = session_get_cookie_params(); -//Logger::Debug('Setting cookie parameters to lifetime('.$currentCookieParams['lifetime'].') path('.$currentCookieParams['path'].') domain ('.$currentCookieParams['domain'].') secure('.$currentCookieParams['secure'].') httpOnly(1)'); -session_set_cookie_params( - $currentCookieParams['lifetime'], - $currentCookieParams['path'], - $currentCookieParams['domain'], - $currentCookieParams['secure'], - true -); - -ini_set('session.name', 'ZMSESSID'); - -session_start(); +zm_session_start(); if ( !isset($_SESSION['skin']) || isset($_REQUEST['skin']) || !isset($_COOKIE['zmSkin']) || $_COOKIE['zmSkin'] != $skin ) { $_SESSION['skin'] = $skin; From 0eba430932512abe485fcd65be4bdbd5333ed21f Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 30 Jan 2019 11:05:43 -0500 Subject: [PATCH 4/5] remove duplicate line --- web/includes/session.php | 52 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 web/includes/session.php diff --git a/web/includes/session.php b/web/includes/session.php new file mode 100644 index 000000000..e5aaa50ac --- /dev/null +++ b/web/includes/session.php @@ -0,0 +1,52 @@ + From cc0b5e0f1f0bc9c14a4a0f911e4c24c0073c0fdb Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 30 Jan 2019 12:52:01 -0500 Subject: [PATCH 5/5] Move is_session_open to session.php. Move code to clear a session into session.php --- web/includes/auth.php | 22 +--------------------- web/includes/session.php | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/web/includes/auth.php b/web/includes/auth.php index edc9ecdc7..e365ecef3 100644 --- a/web/includes/auth.php +++ b/web/includes/auth.php @@ -108,15 +108,7 @@ function userLogout() { global $user; Info('User "'.$user['Username'].'" logged out'); unset($user); - session_start(); - $_SESSION = array(); - if ( ini_get('session.use_cookies') ) { - $p = session_get_cookie_params(); - # Update the cookie to expire in the past. - setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']); - } - session_unset(); - session_destroy(); + zm_session_clear(); } function getAuthUser($auth) { @@ -211,18 +203,6 @@ function canEdit($area, $mid=false) { return ( $user[$area] == 'Edit' && ( !$mid || visibleMonitor($mid) )); } -function is_session_started() { - if ( php_sapi_name() !== 'cli' ) { - if ( version_compare(phpversion(), '5.4.0', '>=') ) { - return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE; - } else { - return session_id() === '' ? FALSE : TRUE; - } - } else { - Warning("php_sapi_name === 'cli'"); - } - return FALSE; -} if ( ZM_OPT_USE_AUTH ) { if ( ZM_AUTH_HASH_LOGINS && empty($user) && ! empty($_REQUEST['auth']) ) { diff --git a/web/includes/session.php b/web/includes/session.php index e5aaa50ac..ae102424c 100644 --- a/web/includes/session.php +++ b/web/includes/session.php @@ -49,4 +49,28 @@ function zm_session_regenerate_id() { session_start(); } +function is_session_started() { + if ( php_sapi_name() !== 'cli' ) { + if ( version_compare(phpversion(), '5.4.0', '>=') ) { + return session_status() === PHP_SESSION_ACTIVE ? TRUE : FALSE; + } else { + return session_id() === '' ? FALSE : TRUE; + } + } else { + Warning("php_sapi_name === 'cli'"); + } + return FALSE; +} + +function zm_session_clear() { + session_start(); + $_SESSION = array(); + if ( ini_get('session.use_cookies') ) { + $p = session_get_cookie_params(); + # Update the cookie to expire in the past. + setcookie(session_name(), '', time() - 31536000, $p['path'], $p['domain'], $p['secure'], $p['httponly']); + } + session_unset(); + session_destroy(); +} ?>