nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2026-03-31 21:49:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Handle invalid remember me token by logging the attempt and unsetting cookie (#7800)

Browse Source
This commit is contained in:
Alex
2026-03-19 22:37:03 +00:00
committed by GitHub
parent 52f81ab8cf
commit 00c4dbc166
1 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
core/authentication/resources/classes/authentication.php
View File

@@ -116,15 +116,14 @@ class authentication {
$sql .= "and user_agent = :user_agent ";
$sql .= "and timestamp > NOW() - INTERVAL '7 days' ";
$sql .= "and result = 'success' ";
$sql .= "limit 1 ";
$parameters['remember_selector'] = $cookie_selector;
$parameters['remote_address'] = $remote_address;
$parameters['user_agent'] = $user_agent;
$user_logs = $this->database->select($sql, $parameters, 'row');
$user_log = $this->database->select($sql, $parameters, 'row');
unset($sql, $parameters);
//validate the token
if (!empty($user_logs) && password_verify($cookie_validator, $user_logs['remember_validator'])) {
if (!empty($user_log['remember_validator']) && password_verify($cookie_validator, $user_log['remember_validator'])) {
//get the user details
$sql = "select \n";
$sql .= "u.domain_uuid, \n";
@@ -136,7 +135,7 @@ class authentication {
$sql .= "where user_uuid = :user_uuid \n";
$sql .= "and u.domain_uuid = d.domain_uuid \n";
$sql .= "and u.user_enabled = 'true' \n";
$parameters['user_uuid'] = $user_logs['user_uuid'];
$parameters['user_uuid'] = $user_log['user_uuid'];
$row = $this->database->select($sql, $parameters, 'row');
unset($sql, $parameters);
@@ -172,15 +171,6 @@ class authentication {
//set the user_uuid
$this->user_uuid = $row["user_uuid"];
//save the result to the authentication plugin
$_SESSION['authentication']['methods'] = [];
$_SESSION['authentication']['methods'][] = $plugin_name;
$_SESSION['authentication']['plugin'] = [];
$_SESSION['authentication']['plugin'][$plugin_name] = $result;
//create the session
self::create_user_session($result, $this->settings);
//generate new token
$selector = uuid();
$validator = generate_password(32);
@@ -207,12 +197,26 @@ class authentication {
'samesite' => 'Strict'
]);
//create the session
self::create_user_session($result, $this->settings);
//set the session authorized to true
$_SESSION['authorized'] = true;
//return the result
return $result;
}
else {
//invalid token
unset($_COOKIE['remember']);
setcookie('remember', '', time() - 3600, '/');
//log the attempt
$log_array['domain_uuid'] = $_SESSION['domain_uuid'];
$log_array['authorized'] = false;
$failed_login_message = "Invalid remember me token";
user_logs::add($log_array, $failed_login_message);
}
}
//use the authentication plugins