From 9e7cd73ab3912e99cf3670df9e53cb628a0e3ea5 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Wed, 14 Feb 2007 19:48:17 +0000
Subject: [PATCH] r1409: Implemented a new admin login system: Instead of using
 a date-stamped cookie, a random hash is generated upon login and then this is
 stored in the cookie. It only lasts for one hour and it has to be validated
 against the database, making it much harder to break into.

---
 admin/global.php        | 30 ++++++++++--------------------
 docs/changes.txt        |  1 +
 docs/schema_changes.sql |  8 ++++++++
 login.php               |  7 ++++++-
 4 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/admin/global.php b/admin/global.php
index ff7b44e..05ee136 100755
--- a/admin/global.php
+++ b/admin/global.php
@@ -70,35 +70,25 @@ function admin_login()
 
 // ###################################################################
 
-$bugsys->userinfo['adminsession'] = false;
-
-if ($_COOKIE[COOKIE_PREFIX . 'adminsession'])
+if (can_perform('canadminpanel'))
 {
-	if (can_perform('canadminpanel'))
+	$session = $db->query_first("SELECT * FROM " . TABLE_PREFIX . "adminsession WHERE sessionid = '" . $bugsys->input_escape(COOKIE_PREFIX . 'adminsession') . "'");
+	if ($session AND $session['userid'] == $bugsys->userinfo['userid'] AND $session['dateline'] >= (TIMENOW - 3600))
 	{
-		if (md5(md5($bugsys->userinfo['authkey']) . md5(gmdate('F j, Y @ H'))) != $_COOKIE[COOKIE_PREFIX . 'adminsession'])
-		{
-			$funct->cookie(COOKIE_PREFIX . 'adminsession', '');
-			admin_login();
-			// do we need this message?
-			$admin->error(_('Invalid admin session has been terminated.'));
-		}
-		else
-		{
-			// renew the cookie
-			$funct->cookie(COOKIE_PREFIX . 'adminsession', md5(md5($bugsys->userinfo['authkey']) . md5(gmdate('F j, Y @ H'))), false);
-			$bugsys->userinfo['adminsession'] = true;
-		}
+		// renew the cookie
+		$funct->cookie(COOKIE_PREFIX . 'adminsession', $session['sessionid'], false);
 	}
 	else
 	{
-		$funct->cookie(COOKIE_PREFIX . 'adminsession', '');
+		$funct->cookie(COOKIE_PREFIX . 'adminsession', null);
 		admin_login();
+		// do we need this message?
+		$admin->error(_('Invalid admin session has been terminated.'));
 	}
 }
-
-if (!$_COOKIE[COOKIE_PREFIX . 'adminsession'])
+else
 {
+	$funct->cookie(COOKIE_PREFIX . 'adminsession', null);
 	admin_login();
 }
 
diff --git a/docs/changes.txt b/docs/changes.txt
index b8db656..ab4a4eb 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -19,6 +19,7 @@
 - Added a lost password reset system
 - Fixed a bug in the User API that would clear the cached usernames in bug records on a save if the display name wasn't set
 - Extracted email text to the template system to make it easier to modify them
+- Improved the admin security system by creating a session system that is much harder to bypass
 
 1.1.5
 ===============================
diff --git a/docs/schema_changes.sql b/docs/schema_changes.sql
index 61fa7ae..2839185 100644
--- a/docs/schema_changes.sql
+++ b/docs/schema_changes.sql
@@ -20,4 +20,12 @@ CREATE TABLE passwordreset
 	userid INT NOT NULL, 
 	dateline INT NOT NULL,
 	PRIMARY KEY (activatorid)
+);
+
+CREATE TABLE adminsession
+(
+	sessionid VARCHAR(250) NOT NULL, 
+	userid INT UNSIGNED NOT NULL, 
+	dateline INT UNSIGNED NOT NULL,
+	PRIMARY KEY (sessionid)
 );
\ No newline at end of file
diff --git a/login.php b/login.php
index 6ffdc7f..0732638 100755
--- a/login.php
+++ b/login.php
@@ -79,7 +79,10 @@ if ($_POST['do'] == 'login' OR $_POST['do'] == 'cplogin')
 		
 		if ($_POST['do'] == 'cplogin')
 		{
-			$funct->cookie(COOKIE_PREFIX . 'adminsession', md5(md5($userinfo['authkey']) . md5(gmdate('F j, Y @ H'))), false);
+			$hash = $funct->rand(90);
+			$db->query("DELETE FROM " . TABLE_PREFIX . "adminsession WHERE dateline < " . (TIMENOW - 3600));
+			$db->query("INSERT INTO " . TABLE_PREFIX . "adminsession (sessionid, userid, dateline) VALUES ('$hash', $userinfo[userid], " . TIMENOW . ")");
+			$funct->cookie(COOKIE_PREFIX . 'adminsession', $hash, false);
 		}
 	}
 	else
@@ -102,6 +105,7 @@ if ($_REQUEST['do'] == 'logout')
 {
 	if ($bugsys->userinfo['userid'])
 	{
+		$db->query("DELETE FROM " . TABLE_PREFIX . "adminsession WHERE sessionid = '" . $bugsys->input_escape(COOKIE_PREFIX . 'adminsession') . "'");
 		$funct->cookie(COOKIE_PREFIX . 'userid');
 		$funct->cookie(COOKIE_PREFIX . 'authkey');
 		$funct->cookie(COOKIE_PREFIX . 'adminsession');
@@ -228,6 +232,7 @@ if ($_REQUEST['do'] == 'cplogout')
 {
 	if ($_COOKIE[COOKIE_PREFIX . 'adminsession'])
 	{
+		$db->query("DELETE FROM " . TABLE_PREFIX . "adminsession WHERE sessionid = '" . $bugsys->input_escape(COOKIE_PREFIX . 'adminsession') . "'");
 		$funct->cookie(COOKIE_PREFIX . 'adminsession');
 		$message->redirect(_('You have been logged out.'), 'admin/');
 	}
-- 
2.22.5