Public_Tools/wavelog
2
0
Fork 0
mirror of https://github.com/wavelog/wavelog.git synced 2026-03-22 10:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

enforce minimum session expiration time of 43200 seconds for security and create session_token instead of using session id for hash creation

Browse Source
This commit is contained in:
HB9HIL
2026-01-26 13:04:28 +01:00
parent 148a8e4fd9
commit ce4a5e7b9d
4 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
application/config/config.sample.php
View File

@@ -439,7 +439,7 @@ $config['encryption_key'] = 'flossie1234555541';
| 'sess_expiration'
|
| The number of SECONDS you want the session to last.
| Setting to 0 (zero) means expire when the browser is closed.
| Minimum is 43200 seconds (12 hours) for security reasons.
|
| 'sess_save_path'
|
@@ -476,7 +476,7 @@ $config['encryption_key'] = 'flossie1234555541';
*/
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_wavelog';
$config['sess_expiration'] = 0;
$config['sess_expiration'] = 43200;
$config['sess_save_path'] = '/tmp';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;

14
application/models/User_model.php
View File

@@ -539,6 +539,11 @@ class User_Model extends CI_Model {
return false;
}
$token = $this->session->userdata('session_token') ?: NULL;
if (!$token) {
$token = bin2hex(random_bytes(32));
}
$userdata = array(
'user_id' => $u->row()->user_id,
'user_name' => $u->row()->user_name,
@@ -551,7 +556,8 @@ class User_Model extends CI_Model {
'user_clublog_name' => $u->row()->user_clublog_name ?? '',
'user_eqsl_name' => $u->row()->user_eqsl_name,
'user_eqsl_qth_nickname' => $u->row()->user_eqsl_qth_nickname,
'user_hash' => $this->_session_hash($u->row()->user_id . $u->row()->user_type),
'user_hash' => $this->_session_hash($u->row()->user_id . $u->row()->user_type . $token),
'session_token' => $token,
'radio' => ((($this->session->userdata('radio') ?? '') == '') ? $this->user_options_model->get_options('cat', array('option_name' => 'default_radio'))->row()->option_value ?? '' : $this->session->userdata('radio')),
'station_profile_id' => $this->session->userdata('station_profile_id') ?? '',
'user_measurement_base' => $u->row()->user_measurement_base,
@@ -646,7 +652,8 @@ class User_Model extends CI_Model {
$impersonate = $this->session->userdata('impersonate');
if(ENVIRONMENT != 'maintenance') {
if($this->_auth($user_id . $user_type, $user_hash)) {
$session_token = $this->session->userdata('session_token');
if($session_token && $this->_auth($user_id . $user_type . $session_token, $user_hash)) {
// Freshen the session
$this->update_session($user_id, $u);
return 1;
@@ -656,7 +663,8 @@ class User_Model extends CI_Model {
}
} else { // handle the maintenance mode and kick out user on page reload if not an admin
if($user_type == '99' || $src_user_type === '99') {
if($this->_auth($user_id . $user_type, $user_hash)) {
$session_token = $this->session->userdata('session_token');
if($session_token && $this->_auth($user_id . $user_type . $session_token, $user_hash)) {
// Freshen the session
$this->update_session($user_id, $u);
return 1;

4
install/config/config.php
View File

@@ -439,7 +439,7 @@ $config['encryption_key'] = '%encryptionkey%';
| 'sess_expiration'
|
| The number of SECONDS you want the session to last.
| Setting to 0 (zero) means expire when the browser is closed.
| Minimum is 43200 seconds (12 hours) for security reasons.
|
| 'sess_save_path'
|
@@ -476,7 +476,7 @@ $config['encryption_key'] = '%encryptionkey%';
*/
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_wavelog';
$config['sess_expiration'] = 0;
$config['sess_expiration'] = 43200;
$config['sess_save_path'] = '/tmp';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;

3
system/libraries/Session/Session.php
View File

@@ -244,7 +244,8 @@ class CI_Session {
*/
protected function _configure(&$params)
{
$expiration = config_item('sess_expiration');
// We force a minimum expiration time of 43200 seconds (12 hours) for security reasons
$expiration = config_item('sess_expiration') == 0 ? 43200 : config_item('sess_expiration');
if (isset($params['cookie_lifetime']))
{