From f4418260e7d797028251485d85d1a490ca54dd60 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 3 Oct 2016 21:18:13 -0400 Subject: [PATCH 1/2] Should only generate an auth hash if we are logged in. --- web/includes/actions.php | 14 +++++++++----- web/includes/functions.php | 28 ++++++++++++++++------------ 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/web/includes/actions.php b/web/includes/actions.php index 7affee781..72ccbcd2f 100644 --- a/web/includes/actions.php +++ b/web/includes/actions.php @@ -58,14 +58,18 @@ function getAffectedIds( $name ) return( $ids ); } -if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST['auth']) ) -{ - if ( $authUser = getAuthUser( $_REQUEST['auth'] ) ) - { - userLogin( $authUser['Username'], $authUser['Password'], true ); +if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS ) { + if ( empty($user) && !empty($_REQUEST['auth']) ) { + if ( $authUser = getAuthUser( $_REQUEST['auth'] ) ) { + userLogin( $authUser['Username'], $authUser['Password'], true ); } + } else if ( ! empty($user) ) { + // generate it once here, while session is open. Value will be cached in session and return when called later on + generateAuthHash( ZM_AUTH_HASH_IPS ); + } } + if ( !empty($action) ) { if ( $action == "login" && isset($_REQUEST['username']) && ( ZM_AUTH_TYPE == "remote" || isset($_REQUEST['password']) ) ) diff --git a/web/includes/functions.php b/web/includes/functions.php index c2b4da921..c77e107a6 100644 --- a/web/includes/functions.php +++ b/web/includes/functions.php @@ -144,19 +144,23 @@ function generateAuthHash( $useRemoteAddr ) { if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == "hashed" ) { # regenerate a hash at half the liftetime of a hash, an hour is 3600 so half is 1800 if ( ( $_SESSION['AuthHashGeneratedAt'] < time() - ( ZM_AUTH_HASH_TTL * 1800 ) ) or ! isset($_SESSION['AuthHash']) ) { -# Don't both regenerating Auth Hash if an hour hasn't gone by yet - $time = localtime(); - if ( $useRemoteAddr ) { - $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; + if ( ! ( $_SESSION['username'] and $_SESSION['passwordHash'] ) ) { + Warning("Can't generate auth hash until we are logged in"); } else { - $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; - } - $auth = md5( $authKey ); - if ( session_status() == PHP_SESSION_NONE ) { - Warning("Session is not active. AuthHash will not be cached."); - } - $_SESSION['AuthHash'] = $auth; - $_SESSION['AuthHashGeneratedAt'] = time(); + # Don't both regenerating Auth Hash if an hour hasn't gone by yet + $time = localtime(); + if ( $useRemoteAddr ) { + $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; + } else { + $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; + } + $auth = md5( $authKey ); + if ( session_status() == PHP_SESSION_NONE ) { + Warning("Session is not active. AuthHash will not be cached."); + } + $_SESSION['AuthHash'] = $auth; + $_SESSION['AuthHashGeneratedAt'] = time(); + } # end if we are logged in yet or not } # end if AuthHash is not cached return $_SESSION['AuthHash']; } else { From d4be5b06ea326c9305b15d60739070db307794a1 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Mon, 3 Oct 2016 21:22:16 -0400 Subject: [PATCH 2/2] Only generate auth hash when logged in. --- web/includes/functions.php | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/web/includes/functions.php b/web/includes/functions.php index c77e107a6..61998a9e5 100644 --- a/web/includes/functions.php +++ b/web/includes/functions.php @@ -141,30 +141,29 @@ function getAuthUser( $auth ) { } function generateAuthHash( $useRemoteAddr ) { - if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == "hashed" ) { + if ( ZM_OPT_USE_AUTH and ZM_AUTH_RELAY == 'hashed' and $_SESSION['username'] and $_SESSION['passwordHash'] ) { # regenerate a hash at half the liftetime of a hash, an hour is 3600 so half is 1800 if ( ( $_SESSION['AuthHashGeneratedAt'] < time() - ( ZM_AUTH_HASH_TTL * 1800 ) ) or ! isset($_SESSION['AuthHash']) ) { - if ( ! ( $_SESSION['username'] and $_SESSION['passwordHash'] ) ) { - Warning("Can't generate auth hash until we are logged in"); + # Don't both regenerating Auth Hash if an hour hasn't gone by yet + $time = localtime(); + $authKey = ''; + if ( $useRemoteAddr ) { + $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; } else { - # Don't both regenerating Auth Hash if an hour hasn't gone by yet - $time = localtime(); - if ( $useRemoteAddr ) { - $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$_SESSION['remoteAddr'].$time[2].$time[3].$time[4].$time[5]; - } else { - $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; - } - $auth = md5( $authKey ); - if ( session_status() == PHP_SESSION_NONE ) { - Warning("Session is not active. AuthHash will not be cached."); - } - $_SESSION['AuthHash'] = $auth; - $_SESSION['AuthHashGeneratedAt'] = time(); - } # end if we are logged in yet or not + $authKey = ZM_AUTH_HASH_SECRET.$_SESSION['username'].$_SESSION['passwordHash'].$time[2].$time[3].$time[4].$time[5]; + } + $auth = md5( $authKey ); + if ( session_status() == PHP_SESSION_NONE ) { + Warning("Session is not active. AuthHash will not be cached."); + } + $_SESSION['AuthHash'] = $auth; + $_SESSION['AuthHashGeneratedAt'] = time(); + } else { + Debug( "Using cached auth " . $_SESSION['AuthHash'] ); } # end if AuthHash is not cached return $_SESSION['AuthHash']; } else { - $auth = ""; + $auth = ''; } return( $auth ); }