From 58154f59fc16322598e3a01937fbffdb97cdf62b Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Mon, 30 Apr 2012 17:04:53 -0400
Subject: [PATCH] Accept two past time slots for auth cookie validation; don't encode user-agent into session auth hash (#1488449)

---
 program/include/rcube.php         |    2 +-
 program/include/rcube_session.php |   25 +++++++++++++++----------
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/program/include/rcube.php b/program/include/rcube.php
index 55dc4ee..8bd9b76 100644
--- a/program/include/rcube.php
+++ b/program/include/rcube.php
@@ -476,7 +476,7 @@
             $this->session->set_keep_alive($keep_alive);
         }
 
-        $this->session->set_secret($this->config->get('des_key') . $_SERVER['HTTP_USER_AGENT']);
+        $this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME']));
         $this->session->set_ip_check($this->config->get('ip_check'));
     }
 
diff --git a/program/include/rcube_session.php b/program/include/rcube_session.php
index 6f7d90b..e024b0e 100644
--- a/program/include/rcube_session.php
+++ b/program/include/rcube_session.php
@@ -43,7 +43,6 @@
   private $vars = false;
   private $key;
   private $now;
-  private $prev;
   private $secret = '';
   private $ip_check = false;
   private $logging = false;
@@ -519,7 +518,6 @@
       // valid time range is now - 1/2 lifetime to now + 1/2 lifetime
       $now = time();
       $this->now = $now - ($now % ($this->lifetime / 2));
-      $this->prev = $this->now - ($this->lifetime / 2);
   }
 
   /**
@@ -590,15 +588,22 @@
       $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . $_SERVER['REMOTE_ADDR']);
 
     if ($result && $this->_mkcookie($this->now) != $this->cookie) {
-      // Check if using id from previous time slot
-      if ($this->_mkcookie($this->prev) == $this->cookie) {
-        $this->set_auth_cookie();
+      $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now));
+      $result = false;
+
+      // Check if using id from a previous time slot
+      for ($i = 1; $i <= 2; $i++) {
+        $prev = $this->now - ($this->lifetime / 2) * $i;
+        if ($this->_mkcookie($prev) == $this->cookie) {
+          $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie);
+          $this->set_auth_cookie();
+          $result = true;
+        }
       }
-      else {
-        $result = false;
-        $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent");
-      }
-    }
+	}
+
+    if (!$result)
+      $this->log("Session authentication failed for " . $this->key . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev));
 
     return $result;
   }

--
Gitblit v1.9.1