Only populate session with user info on successful login. Use parameters in sql when loading users in getAuthUser. Fixes #2542

This commit is contained in:
Isaac Connor 2019-02-27 09:57:50 -05:00
parent 92ded81e26
commit 6e4444099b
1 changed files with 10 additions and 8 deletions

View File

@ -82,11 +82,6 @@ function userLogin($username='', $password='', $passwordHashed=false) {
session_start();
$close_session = 1;
}
$_SESSION['username'] = $username;
if ( ZM_AUTH_RELAY == 'plain' ) {
// Need to save this in session
$_SESSION['password'] = $password;
}
$_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
if ( $dbUser = dbFetchOne($sql, NULL, $sql_values) ) {
ZM\Info("Login successful for user \"$username\"");
@ -95,6 +90,11 @@ function userLogin($username='', $password='', $passwordHashed=false) {
if ( ZM_AUTH_TYPE == 'builtin' ) {
$_SESSION['passwordHash'] = $user['Password'];
}
$_SESSION['username'] = $user['Username'];
if ( ZM_AUTH_RELAY == 'plain' ) {
// Need to save this in session, can't use the value in User because it is hashed
$_SESSION['password'] = $_REQUEST['password'];
}
zm_session_regenerate_id();
} else {
ZM\Warning("Login denied for user \"$username\"");
@ -124,17 +124,19 @@ function getAuthUser($auth) {
}
}
$values = array();
if ( isset($_SESSION['username']) ) {
# Most of the time we will be logged in already and the session will have our username, so we can significantly speed up our hash testing by only looking at our user.
# Only really important if you have a lot of users.
$sql = "SELECT * FROM Users WHERE Enabled = 1 AND Username='".$_SESSION['username']."'";
$sql = 'SELECT * FROM Users WHERE Enabled = 1 AND Username=?';
array_push($values, $_SESSION['username']);
} else {
$sql = 'SELECT * FROM Users WHERE Enabled = 1';
}
foreach ( dbFetchAll($sql) as $user ) {
foreach ( dbFetchAll($sql, NULL, $values) as $user ) {
$now = time();
for ( $i = 0; $i < ZM_AUTH_HASH_TTL; $i++, $now -= (3600) ) { // Try for last two hours
for ( $i = 0; $i < ZM_AUTH_HASH_TTL; $i++, $now -= ZM_AUTH_HASH_TTL * 1800 ) { // Try for last two hours
$time = localtime($now);
$authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$remoteAddr.$time[2].$time[3].$time[4].$time[5];
$authHash = md5($authKey);