Revert to old cookie code.

2025-01-18 07:32:53 +01:00 · 2021-10-05 15:03:24 +01:00 · 2021-10-05 15:03:24 +01:00 · 4420a78b31
commit 4420a78b31
parent 7753eb4a7b
5 changed files with 47 additions and 39 deletions
--- a/README.md
+++ b/README.md
@ -81,12 +81,22 @@ Configuration is via environmental variables.  Please bear the following in mind

 ### Optional:

-#### Organisation settings
+
+#### Web server settings

 * `SERVER_HOSTNAME` (default: *ldapusername.org*):  The hostname that this interface will be served from.
   
 * `SERVER_PATH` (default: */*): The path to the user manager on the webserver.  Useful if running this behind a reverse proxy.
+
+* `SERVER_PORT` (default: *80 or 80+443*): The port the webserver inside the container will listen on.  If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS.  When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true).  This is for use when the container's Docker network mode is set to `host`.
+
+* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption.  This is insecure and should only be used for testing.  See [HTTPS certificates](#https-certificates)
   
+* `SESSION_TIMEOUT` (default: *10 minutes*):  How long before an idle session will be timed out.
+
+
+#### Organisation settings
+
 * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
   
 * `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*):  Change this to replace the title in the menu, e.g. "My Company Account Management".
@ -173,13 +183,6 @@ To send emails you'll need to use an existing SMTP server.  Email sending will b

 * `ACCOUNT_REQUESTS_EMAIL` (default: *{EMAIL_FROM_ADDRESS}*): This is the email address that any requests for a new account are sent to.

-**Site security settings**   
-
-#### Website security
-
-* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption.  This is insecure and should only be used for testing.  See [HTTPS certificates](#https-certificates)
-   
-* `SESSION_TIMEOUT` (default: *10 minutes*):  How long before an idle session will be timed out.

 #### Debugging settings

--- a/27
+++ b/27
@ -17,14 +17,15 @@ fi

 if [ "$LDAP_TLS_CACERT" ]; then
  echo "$LDAP_TLS_CACERT" >/opt/ca.crt
-  sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf
+  mkdir -p /etc/ldap
+  echo "TLS_CACERT /opt/ca.crt/" > /etc/ldap/ldap.conf
 fi

 if [ "${NO_HTTPS,,}" == "true" ]; then

  cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf

-<VirtualHost *:80>
+<VirtualHost *:${SERVER_PORT:-80}>

 ServerName $SERVER_HOSTNAME
 DocumentRoot $php_dir
@ -39,6 +40,8 @@ if [ "${NO_HTTPS,,}" == "true" ]; then
 EoHTTPC


+  echo "Listen ${SERVER_PORT:-80}" > /etc/apache2/ports.conf
+
 else

  ########################
@ -112,7 +115,14 @@ EoCertConf

  if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi

-  cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
+  echo  > /etc/apache2/sites-enabled/lum.conf
+  echo  > /etc/apache2/ports.conf
+
+  if [ ! "$SERVER_PORT" ]; then
+
+    echo "Listen 80" > /etc/apache2/ports.conf
+
+    cat <<EoHTTPrd >/etc/apache2/sites-enabled/lum.conf

 <VirtualHost *:80>

@ -121,7 +131,15 @@ EoCertConf

 </VirtualHost>

-<VirtualHost _default_:443>
+EoHTTPrd
+
+  fi
+
+  echo "Listen ${SERVER_PORT:-443}" >> /etc/apache2/ports.conf
+  
+  cat <<EoHTTPSC >>/etc/apache2/sites-enabled/lum.conf
+
+<VirtualHost _default_:${SERVER_PORT:-443}>

 ServerName $SERVER_HOSTNAME

@ -143,7 +161,6 @@ EoHTTPSC

 fi

-cat /etc/apache2/sites-enabled/lum.conf

 ########################
 #Run Apache
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@ -55,6 +55,7 @@ elseif (isset($_POST['initialise_group'])) {
 }
 else {
  $new_group = FALSE;
+  $initialise_group = TRUE;
  $current_members = ldap_get_group_members($ldap_connection,$group_cn);
  $full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
  $has_been = "updated";
@ -279,7 +280,7 @@ ldap_close($ldap_connection);
         <button class="btn btn-default btn-sm move-right">
          <span class="glyphicon glyphicon-chevron-right"></span>
         </button>
-         <form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
+         <form id="group_members" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_group.php" method="post">
          <input type="hidden" name="update_members">
          <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
          <?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>
--- a/www/account_manager/show_user.php
+++ b/www/account_manager/show_user.php
@ -499,7 +499,7 @@ if ($ldap_search) {
          <button class="btn btn-default btn-sm move-right">
           <span class="glyphicon glyphicon-chevron-right"></span>
          </button>
-          <form id="update_with_groups" action="<?php print $CURRENT_PAGE; ?>" method="post">
+          <form id="update_with_groups" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_user.php" method="post">
           <input type="hidden" name="update_member_of">
           <input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
          </form>
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@ -7,7 +7,6 @@ $IS_ADMIN = FALSE;
 $IS_SETUP_ADMIN = FALSE;
 $ACCESS_LEVEL_NAME = array('account','admin');
 unset($USER_ID);
-$CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
 $SENT_HEADERS = FALSE;
 $SESSION_TIMED_OUT = FALSE;

@ -36,13 +35,6 @@ include ("modules.inc.php");   # module definitions
 if (substr($SERVER_PATH, -1) != "/") { $SERVER_PATH .= "/"; }
 $THIS_MODULE_PATH="${SERVER_PATH}${THIS_MODULE}";

-$DEFAULT_COOKIE_OPTIONS = array( 'expires' => time()+(60 * $SESSION_TIMEOUT),
-                                 'path' => $SERVER_PATH,
-                                 'domain' => '',
-                                 'secure' => TRUE,
-                                 'samesite' => 'strict'
-                               );
-
 validate_passkey_cookie();

 ######################################################
@ -63,7 +55,7 @@ function set_passkey_cookie($user_id,$is_admin) {

 # Create a random value, store it locally and set it in a cookie.

- global $SESSION_TIMEOUT, $VALIDATED, $USER_ID, $IS_ADMIN, $log_prefix, $SESSION_DEBUG, $DEFAULT_COOKIE_OPTIONS;
+ global $SESSION_TIMEOUT, $VALIDATED, $USER_ID, $IS_ADMIN, $log_prefix, $SESSION_DEBUG;


 $passkey = generate_passkey();
@ -76,10 +68,10 @@ function set_passkey_cookie($user_id,$is_admin) {
 }
 $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
 @ file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
- setcookie('orf_cookie', "$user_id:$passkey", $DEFAULT_COOKIE_OPTIONS);
- $sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
- $sessto_cookie_opts['expires'] = $this_time+7200;
- setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $sessto_cookie_opts);
+
+ setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE);
+ setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $this_time+7200, '/', '', '', TRUE);
+
 if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
 $VALIDATED = TRUE;

@ -146,16 +138,16 @@ function set_setup_cookie() {

 # Create a random value, store it locally and set it in a cookie.

- global $SESSION_TIMEOUT, $IS_SETUP_ADMIN, $log_prefix, $SESSION_DEBUG, $DEFAULT_COOKIE_OPTIONS;
+ global $SESSION_TIMEOUT, $IS_SETUP_ADMIN, $log_prefix, $SESSION_DEBUG;

 $passkey = generate_passkey();
 $this_time=time();

 $IS_SETUP_ADMIN = TRUE;

- file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
+ @ file_put_contents("/tmp/ldap_setup","$passkey:$this_time");

- setcookie('setup_cookie', $passkey, $DEFAULT_COOKIE_OPTIONS);
+ setcookie('setup_cookie', "$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE);

 if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }

@ -206,15 +198,10 @@ function log_out($method='normal') {

 global $USER_ID, $SERVER_PATH, $DEFAULT_COOKIE_OPTIONS;

- $this_time=time();
+ $expire_time=time()-20000;

- $orf_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
- $orf_cookie_opts['expires'] = $this_time-20000;
- $sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
- $sessto_cookie_opts['expires'] = $this_time-20000;
-
- setcookie('orf_cookie', "", $DEFAULT_COOKIE_OPTIONS);
- setcookie('sessto_cookie', "", $DEFAULT_COOKIE_OPTIONS);
+ setcookie('orf_cookie', "", $expire_time, '/', '', '', TRUE);
+ setcookie('sessto_cookie', "", $expire_time, '/', '', '', TRUE);

 $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
 @ unlink("/tmp/$filename");