Revert to old cookie code.

This commit is contained in:
Brian Lycett 2021-10-05 15:03:24 +01:00
parent 7753eb4a7b
commit 4420a78b31
5 changed files with 47 additions and 39 deletions

View File

@ -81,12 +81,22 @@ Configuration is via environmental variables. Please bear the following in mind
### Optional: ### Optional:
#### Organisation settings
#### Web server settings
* `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from. * `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from.
* `SERVER_PATH` (default: */*): The path to the user manager on the webserver. Useful if running this behind a reverse proxy. * `SERVER_PATH` (default: */*): The path to the user manager on the webserver. Useful if running this behind a reverse proxy.
* `SERVER_PORT` (default: *80 or 80+443*): The port the webserver inside the container will listen on. If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS. When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true). This is for use when the container's Docker network mode is set to `host`.
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates)
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
#### Organisation settings
* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name. * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
* `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". * `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".
@ -173,13 +183,6 @@ To send emails you'll need to use an existing SMTP server. Email sending will b
* `ACCOUNT_REQUESTS_EMAIL` (default: *{EMAIL_FROM_ADDRESS}*): This is the email address that any requests for a new account are sent to. * `ACCOUNT_REQUESTS_EMAIL` (default: *{EMAIL_FROM_ADDRESS}*): This is the email address that any requests for a new account are sent to.
**Site security settings**
#### Website security
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates)
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
#### Debugging settings #### Debugging settings

View File

@ -17,14 +17,15 @@ fi
if [ "$LDAP_TLS_CACERT" ]; then if [ "$LDAP_TLS_CACERT" ]; then
echo "$LDAP_TLS_CACERT" >/opt/ca.crt echo "$LDAP_TLS_CACERT" >/opt/ca.crt
sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf mkdir -p /etc/ldap
echo "TLS_CACERT /opt/ca.crt/" > /etc/ldap/ldap.conf
fi fi
if [ "${NO_HTTPS,,}" == "true" ]; then if [ "${NO_HTTPS,,}" == "true" ]; then
cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
<VirtualHost *:80> <VirtualHost *:${SERVER_PORT:-80}>
ServerName $SERVER_HOSTNAME ServerName $SERVER_HOSTNAME
DocumentRoot $php_dir DocumentRoot $php_dir
@ -39,6 +40,8 @@ if [ "${NO_HTTPS,,}" == "true" ]; then
EoHTTPC EoHTTPC
echo "Listen ${SERVER_PORT:-80}" > /etc/apache2/ports.conf
else else
######################## ########################
@ -112,7 +115,14 @@ EoCertConf
if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi
cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf echo > /etc/apache2/sites-enabled/lum.conf
echo > /etc/apache2/ports.conf
if [ ! "$SERVER_PORT" ]; then
echo "Listen 80" > /etc/apache2/ports.conf
cat <<EoHTTPrd >/etc/apache2/sites-enabled/lum.conf
<VirtualHost *:80> <VirtualHost *:80>
@ -121,7 +131,15 @@ EoCertConf
</VirtualHost> </VirtualHost>
<VirtualHost _default_:443> EoHTTPrd
fi
echo "Listen ${SERVER_PORT:-443}" >> /etc/apache2/ports.conf
cat <<EoHTTPSC >>/etc/apache2/sites-enabled/lum.conf
<VirtualHost _default_:${SERVER_PORT:-443}>
ServerName $SERVER_HOSTNAME ServerName $SERVER_HOSTNAME
@ -143,7 +161,6 @@ EoHTTPSC
fi fi
cat /etc/apache2/sites-enabled/lum.conf
######################## ########################
#Run Apache #Run Apache

View File

@ -55,6 +55,7 @@ elseif (isset($_POST['initialise_group'])) {
} }
else { else {
$new_group = FALSE; $new_group = FALSE;
$initialise_group = TRUE;
$current_members = ldap_get_group_members($ldap_connection,$group_cn); $current_members = ldap_get_group_members($ldap_connection,$group_cn);
$full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn); $full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
$has_been = "updated"; $has_been = "updated";
@ -279,7 +280,7 @@ ldap_close($ldap_connection);
<button class="btn btn-default btn-sm move-right"> <button class="btn btn-default btn-sm move-right">
<span class="glyphicon glyphicon-chevron-right"></span> <span class="glyphicon glyphicon-chevron-right"></span>
</button> </button>
<form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post"> <form id="group_members" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_group.php" method="post">
<input type="hidden" name="update_members"> <input type="hidden" name="update_members">
<input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>"> <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
<?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?> <?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>

View File

@ -499,7 +499,7 @@ if ($ldap_search) {
<button class="btn btn-default btn-sm move-right"> <button class="btn btn-default btn-sm move-right">
<span class="glyphicon glyphicon-chevron-right"></span> <span class="glyphicon glyphicon-chevron-right"></span>
</button> </button>
<form id="update_with_groups" action="<?php print $CURRENT_PAGE; ?>" method="post"> <form id="update_with_groups" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_user.php" method="post">
<input type="hidden" name="update_member_of"> <input type="hidden" name="update_member_of">
<input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>"> <input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
</form> </form>

View File

@ -7,7 +7,6 @@ $IS_ADMIN = FALSE;
$IS_SETUP_ADMIN = FALSE; $IS_SETUP_ADMIN = FALSE;
$ACCESS_LEVEL_NAME = array('account','admin'); $ACCESS_LEVEL_NAME = array('account','admin');
unset($USER_ID); unset($USER_ID);
$CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
$SENT_HEADERS = FALSE; $SENT_HEADERS = FALSE;
$SESSION_TIMED_OUT = FALSE; $SESSION_TIMED_OUT = FALSE;
@ -36,13 +35,6 @@ include ("modules.inc.php"); # module definitions
if (substr($SERVER_PATH, -1) != "/") { $SERVER_PATH .= "/"; } if (substr($SERVER_PATH, -1) != "/") { $SERVER_PATH .= "/"; }
$THIS_MODULE_PATH="${SERVER_PATH}${THIS_MODULE}"; $THIS_MODULE_PATH="${SERVER_PATH}${THIS_MODULE}";
$DEFAULT_COOKIE_OPTIONS = array( 'expires' => time()+(60 * $SESSION_TIMEOUT),
'path' => $SERVER_PATH,
'domain' => '',
'secure' => TRUE,
'samesite' => 'strict'
);
validate_passkey_cookie(); validate_passkey_cookie();
###################################################### ######################################################
@ -63,7 +55,7 @@ function set_passkey_cookie($user_id,$is_admin) {
# Create a random value, store it locally and set it in a cookie. # Create a random value, store it locally and set it in a cookie.
global $SESSION_TIMEOUT, $VALIDATED, $USER_ID, $IS_ADMIN, $log_prefix, $SESSION_DEBUG, $DEFAULT_COOKIE_OPTIONS; global $SESSION_TIMEOUT, $VALIDATED, $USER_ID, $IS_ADMIN, $log_prefix, $SESSION_DEBUG;
$passkey = generate_passkey(); $passkey = generate_passkey();
@ -76,10 +68,10 @@ function set_passkey_cookie($user_id,$is_admin) {
} }
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
@ file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time"); @ file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
setcookie('orf_cookie', "$user_id:$passkey", $DEFAULT_COOKIE_OPTIONS);
$sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS; setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE);
$sessto_cookie_opts['expires'] = $this_time+7200; setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $this_time+7200, '/', '', '', TRUE);
setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $sessto_cookie_opts);
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); } if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
$VALIDATED = TRUE; $VALIDATED = TRUE;
@ -146,16 +138,16 @@ function set_setup_cookie() {
# Create a random value, store it locally and set it in a cookie. # Create a random value, store it locally and set it in a cookie.
global $SESSION_TIMEOUT, $IS_SETUP_ADMIN, $log_prefix, $SESSION_DEBUG, $DEFAULT_COOKIE_OPTIONS; global $SESSION_TIMEOUT, $IS_SETUP_ADMIN, $log_prefix, $SESSION_DEBUG;
$passkey = generate_passkey(); $passkey = generate_passkey();
$this_time=time(); $this_time=time();
$IS_SETUP_ADMIN = TRUE; $IS_SETUP_ADMIN = TRUE;
file_put_contents("/tmp/ldap_setup","$passkey:$this_time"); @ file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
setcookie('setup_cookie', $passkey, $DEFAULT_COOKIE_OPTIONS); setcookie('setup_cookie', "$passkey", $this_time+(60 * $SESSION_TIMEOUT), '/', '', '', TRUE);
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); } if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }
@ -206,15 +198,10 @@ function log_out($method='normal') {
global $USER_ID, $SERVER_PATH, $DEFAULT_COOKIE_OPTIONS; global $USER_ID, $SERVER_PATH, $DEFAULT_COOKIE_OPTIONS;
$this_time=time(); $expire_time=time()-20000;
$orf_cookie_opts = $DEFAULT_COOKIE_OPTIONS; setcookie('orf_cookie', "", $expire_time, '/', '', '', TRUE);
$orf_cookie_opts['expires'] = $this_time-20000; setcookie('sessto_cookie', "", $expire_time, '/', '', '', TRUE);
$sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
$sessto_cookie_opts['expires'] = $this_time-20000;
setcookie('orf_cookie', "", $DEFAULT_COOKIE_OPTIONS);
setcookie('sessto_cookie', "", $DEFAULT_COOKIE_OPTIONS);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
@ unlink("/tmp/$filename"); @ unlink("/tmp/$filename");