Added session based login

Author: Groruk

web/includes/CUserManager.php

@@ -38,14 +38,12 @@ class CUserManager
      * @param $password the current user's password
      * @return noreturn.
      */
-    public function __construct($aid, $password)
+    public function __construct($aid)
     {
         $this->dbh = new Database(DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASS, DB_PREFIX);
 
-        if ($this->CheckLogin($password, $aid)) {
-            $this->aid = $aid;
-            $this->GetUserArray($aid);
-        }
+        $this->aid = $aid;
+        $this->GetUserArray($aid);
     }
 
 
@@ -63,7 +61,7 @@ public function GetUserArray($aid = null)
         }
         // Invalid aid
         if ($aid < 0 || empty($aid)) {
-            return 0;
+            return false;
         }
 
         // We already got the data from the DB, and its saved in the manager
@@ -82,7 +80,7 @@ public function GetUserArray($aid = null)
         $res = $this->dbh->single();
 
         if (!$res) {
-            return 0;  // ohnoes some type of db error
+            return false;  // ohnoes some type of db error
         }
 
         $user = array();
@@ -212,30 +210,24 @@ public function CheckLogin($password, $aid)
 
     public function login($aid, $password, $save = true)
     {
-        if ($this->CheckLogin($this->encrypt_password($password), $aid)) {
+        if ($this->CheckLogin($this->encrypt_password($password), $aid) || $this->CheckLogin($this->hash($password), $aid)) {
             //Old password hash detected update it.
             $this->dbh->query('UPDATE `:prefix_admins` SET password = :password WHERE aid = :aid');
-            $this->dbh->bind(':password', $this->hash($password));
+            $this->dbh->bind(':password', password_hash($password, PASSWORD_BCRYPT));
             $this->dbh->bind(':aid', $aid);
             $this->dbh->execute();
 
-            setcookie("aid", $aid);
-            setcookie("password", $this->hash($password));
-            setcookie("user", $_SESSION['user']['user']);
+            \SessionManager::sessionStart('login', 604800, 0);
+            $_SESSION['aid'] = $aid;
             return true;
         }
 
-        if ($this->CheckLogin($this->hash($password), $aid)) {
-            if ($save) {
-                //Sets cookies
-                setcookie("aid", $aid, time()+LOGIN_COOKIE_LIFETIME);
-                setcookie("password", $this->hash($password), time()+LOGIN_COOKIE_LIFETIME);
-                setcookie("user", isset($_SESSION['user']['user'])?$_SESSION['user']['user']:null, time()+LOGIN_COOKIE_LIFETIME);
-                return true;
-            }
-            setcookie("aid", $aid);
-            setcookie("password", $this->hash($password));
-            setcookie("user", $_SESSION['user']['user']);
+        $this->dbh->query('SELECT password FROM `:prefix_admins` WHERE aid = :aid');
+        $this->dbh->bind(':aid', $aid);
+        $hash = $this->dbh->single();
+        if (password_verify($password, $hash['password'])) {
+            \SessionManager::sessionStart('login', 604800, 0);
+            $_SESSION['aid'] = $aid;
             return true;
         }
         return false;

web/includes/SessionManager.php

@@ -0,0 +1,59 @@
+<?php
+class SessionManager
+{
+    public static function sessionStart($name, $expires = 86400, $limit = 0, $path = '/', $domain = null)
+    {
+        $secure = false;
+        session_name($name.'_Session');
+        $domain = isset($domain) ? $domain : $_SERVER['SERVER_NAME'];
+        if ($_SERVER['SERVER_PORT'] == 443) {
+            $secure = true;
+        }
+        session_set_cookie_params($limit, $path, $domain, $secure, true);
+        session_start();
+
+        $_SESSION['userAgent'] = hash('sha256', $_SERVER['HTTP_USER_AGENT']);
+        $_SESSION['EXPIRES'] = time()+$expires;
+    }
+    public static function checkSession()
+    {
+        if (!isset($_SESSION['userAgent'])) {
+            return false;
+        }
+        if (!self::validateSession() || !self::preventHijacking()) {
+            session_destroy();
+            session_start();
+            return false;
+        } elseif (rand(1, 100) <= 10) {
+            self::regenerateSession();
+        }
+        return true;
+    }
+    protected static function preventHijacking()
+    {
+        if (!isset($_SESSION['userAgent'])) {
+            return false;
+        }
+        if ($_SESSION['userAgent'] !== hash('sha256', $_SERVER['HTTP_USER_AGENT'])) {
+            return false;
+        }
+        return true;
+    }
+    protected static function regenerateSession()
+    {
+        $_SESSION['EXPIRES'] = time() + 10;
+        session_regenerate_id(false);
+        $newSession = session_id();
+        session_write_close();
+        session_id($newSession);
+        session_start();
+        unset($_SESSION['EXPIRES']);
+    }
+    protected static function validateSession()
+    {
+        if (isset($_SESSION['EXPIRES']) && $_SESSION['EXPIRES'] < time()) {
+            return false;
+        }
+        return true;
+    }
+}

web/includes/sb-callback.php

@@ -28,13 +28,13 @@
 require_once('xajax.inc.php');
 include_once('system-functions.php');
 include_once('user-functions.php');
+session_start();
 $xajax = new xajax();
 //$xajax->debugOn();
 $xajax->setRequestURI(XAJAX_REQUEST_URI);
 global $userbank;
 
-if(isset($_COOKIE['aid'], $_COOKIE['password']) && $userbank->CheckLogin($_COOKIE['password'], $_COOKIE['aid']))
-{
+if (\SessionManager::checkSession()) {
     $xajax->registerFunction("AddMod");
     $xajax->registerFunction("RemoveMod");
     $xajax->registerFunction("AddGroup");
@@ -94,7 +94,6 @@
 global $userbank;
 $username = $userbank->GetProperty("user");
 
-
 function Plogin($username, $password, $remember, $redirect, $nopass)
 {
     global $userbank;

web/includes/user-functions.php

@@ -63,8 +63,6 @@ function generate_salt($length = 5)
  */
 function logout()
 {
-    setcookie('aid', '', time()-86400);
-    setcookie('password', '', time()-86400);
     $_SESSION = array();
     session_destroy();
     return true;

web/init.php

@@ -24,6 +24,8 @@
 		Licensed under CC BY-NC-SA 3.0
 		Page: <http://www.sourcebans.net/> - <http://www.gameconnect.net/>
 *************************************************************************/
+session_start();
+
 //Hotfix for dash_intro_text
 if (isset($_POST['dash_intro_text'])) {
     $dash_intro_text = $_POST['dash_intro_text'];
@@ -55,6 +57,7 @@
 define('SB_AID', isset($_COOKIE['aid'])?$_COOKIE['aid']:null);
 define('XAJAX_REQUEST_URI', './index.php');
 
+require_once(INCLUDES_PATH.'/SessionManager.php');
 include_once(INCLUDES_PATH . "/CSystemLog.php");
 include_once(INCLUDES_PATH . "/CUserManager.php");
 include_once(INCLUDES_PATH . "/CUI.php");
@@ -361,4 +364,4 @@ function sbError($errno, $errstr, $errfile, $errline)
 // ---------------------------------------------------
 // Setup our user manager
 // ---------------------------------------------------
-$userbank = new CUserManager(isset($_COOKIE['aid'])?$_COOKIE['aid']:'', isset($_COOKIE['password'])?$_COOKIE['password']:'');
+$userbank = new CUserManager(isset($_SESSION['aid']) ? $_SESSION['aid'] : -1);

web/install/index.php

@@ -25,7 +25,6 @@
 		Page: <http://www.sourcebans.net/> - <http://www.gameconnect.net/>
 *************************************************************************/
 
-session_start();
 include_once 'init.php';
 include_once(INCLUDES_PATH . "/user-functions.php");
 include_once(INCLUDES_PATH . "/system-functions.php");

web/install/template/page.5.php

@@ -27,7 +27,6 @@
 define('STEAMAPIKEY', '{steamapikey}');				// Steam API Key for Shizz
 define('SB_WP_URL', '{sbwpurl}');       				//URL of SourceBans Site
 define('SB_EMAIL', '{sbwpemail}');
-define('SB_NEW_SALT', '{sbsalt}');
 
 //define('DEVELOPER_MODE', true);			// Use if you want to show debugmessages
 //define('SB_MEM', '128M'); 				// Override php memory limit, if isn't enough (Banlist is just a blank page)
@@ -47,14 +46,6 @@
 	}
 ';
 
-/* Generate random salt for each SourceBans installation
- * Note: this is not good you should assign every user a unique salt
- * and because of the codebase we can only assign one salt without fucking parts
- * of SoureBans up. (it's safer than the currently used salt which is the same on every instance of SourceBans)
- */
-require_once('../includes/random_compat/lib/random.php');
-$salt = "$5$".strtr(substr(base64_encode(random_bytes(16)), 0, 16), '+/', '-_');
-
 $web_cfg = str_replace("{server}", $_POST['server'], $web_cfg);
 $web_cfg = str_replace("{user}", $_POST['username'], $web_cfg);
 $web_cfg = str_replace("{pass}", $_POST['password'], $web_cfg);
@@ -65,7 +56,6 @@
 $web_cfg = str_replace("{steamapikey}", $_POST['apikey'], $web_cfg);
 $web_cfg = str_replace("{sbwpurl}", $_POST['sb-wp-url'], $web_cfg);
 $web_cfg = str_replace("{sbwpemail}", $_POST['sb-email'], $web_cfg);
-$web_cfg = str_replace("{sbsalt}", $salt, $web_cfg);
 
 $srv_cfg = str_replace("{server}", $_POST['server'], $srv_cfg);
 $srv_cfg = str_replace("{user}", $_POST['username'], $srv_cfg);
@@ -92,8 +82,7 @@
             $db->query('INSERT INTO `:prefix_admins` (user, authid, password, gid, email, extraflags, immunity) VALUES (:user, :authid, :password, :gid, :email, :extraflags, :immunity)');
             $db->bind(':user', $_POST['uname']);
             $db->bind(':authid', $_POST['steam']);
-            //$db->bind(':password', sha1(sha1(SB_SALT . $_POST['pass1'])));
-            $db->bind(':password', crypt($_POST['pass1'], $salt));
+            $db->bind(':password', password_hash($_POST['pass1'], PASSWORD_BCRYPT));
             $db->bind(':gid', -1);
             $db->bind(':email', $_POST['email']);
             $db->bind(':extraflags', (1<<24));
@@ -223,7 +212,6 @@
 <input type="hidden" name="sb-wp-url" value="<?php echo $_POST['sb-wp-url']?>">
 <input type="hidden" name="sb-email" value="<?php echo $_POST['sb-email']?>">
 <input type="hidden" name="charset" value="<?php echo $_POST['charset']?>">
-<input type="hidden" name="sbsalt" value="<?php echo $salt?>">
 </div>
 </form>
 

web/steamopenid.php

@@ -26,7 +26,6 @@
 *************************************************************************/
 // Steam Login by @duhowpi 2015
 
-session_start();
 include_once 'init.php';
 include_once 'config.php';
 require_once 'includes/openid.php';
@@ -83,8 +82,8 @@ function convert64to32(Database $dbs, $communityID)
             header("Location: " . SB_URL . "/index.php?p=login&m=empty_pwd");
             die;
         } else {
-            setcookie("aid", $result['aid'], time() + LOGIN_COOKIE_LIFETIME);
-            setcookie("password", $result['password'], time() + LOGIN_COOKIE_LIFETIME);
+            \SessionManager::sessionStart('login', 604800, 0);
+            $_SESSION['aid'] = $result['aid'];
         }
     }
 } else {