From 560a51cff710df12c863de53c4c8289e1516dae8 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Tue, 23 Jan 2024 23:11:28 -0700
Subject: [PATCH] Security - Update session validation and regenerate session
 id on login

---
 .../resources/classes/authentication.php       | 18 ++++++++++++++----
 resources/check_auth.php                       | 14 ++++++++++++--
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/core/authentication/resources/classes/authentication.php b/core/authentication/resources/classes/authentication.php
index 9378a14844..4025a6ab7a 100644
--- a/core/authentication/resources/classes/authentication.php
+++ b/core/authentication/resources/classes/authentication.php
@@ -169,12 +169,15 @@ class authentication {
 // 			}
 // 			$result["authorized"] = $authorized;
 
-		//add user logs
+		//add the result to the user logs
 			user_logs::add($result);
 
 		//user is authorized - get user settings, check user cidr
 			if ($authorized) {
 
+				//regenerate the session on login
+					session_regenerate_id(true);
+
 				//set a session variable to indicate authorized is set to true
 					$_SESSION['authorized'] = true;
 
@@ -229,8 +232,15 @@ class authentication {
 					$_SESSION["user_uuid"] = $result["user_uuid"];
 					$_SESSION["context"] = $result['domain_name'];
 
-				//used to validate the session
-					$_SESSION["user_hash"] = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
+				//build the session server array to validate the session
+					global $conf;
+					if (!isset($conf['session.validate'])) { $conf['session.validate'][] = 'HTTP_USER_AGENT'; }
+					foreach($conf['session.validate'] as $name) {
+						$server_array[$name] = $_SERVER[$name];
+					}
+
+				//save the user hash to be used in validate the session
+					$_SESSION["user_hash"] = hash('sha256', implode($server_array));
 
 				//user session array
 					$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
@@ -448,4 +458,4 @@ $response = $auth->validate();
 print_r($response);
 */
 
-?>
\ No newline at end of file
+?>
diff --git a/resources/check_auth.php b/resources/check_auth.php
index 06d4ed8b92..6e17ab6fe8 100644
--- a/resources/check_auth.php
+++ b/resources/check_auth.php
@@ -75,8 +75,18 @@
 		$_SESSION['authorized'] = false;
 	}
 
-//validate the session address
-	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])) {
+//session validate: use HTTP_USER_AGENT as a default value
+	if (!isset($conf['session.validate'])) {
+		$conf['session.validate'][] = 'HTTP_USER_AGENT';
+	}
+
+//session validate: prepare the server array
+	foreach($conf['session.validate'] as $name) {
+		$server_array[$name] = $_SERVER[$name];
+	}
+
+//session validate: check to see if the session is valid
+	if ($_SESSION['authorized'] && $_SESSION["user_hash"] !== hash('sha256', implode($server_array))) {
 		session_destroy();
 		header("Location: ".PROJECT_PATH."/logout.php");
 	}