]> jfr.im git - irc/unrealircd/unrealircd-webpanel.git/commitdiff
projects / irc / unrealircd / unrealircd-webpanel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: aba9dd2)
Add per-user session timeout setting (under Settings 'Accounts' -> select acc).
authorBram Matthys <redacted>
Fri, 21 Apr 2023 17:20:07 +0000 (19:20 +0200)
committerBram Matthys <redacted>
Fri, 21 Apr 2023 17:23:11 +0000 (19:23 +0200)
There's a small catch-22 with sessions in the sense that we must set the cookie
timeout before we start the session, and thus before we know which user it is,
and thus before we know the preferred maximum session time.
So we set the cookie with a timeout of 86400 (1 day), since we don't really use
the cookie anyway, we use the /api/timeout.php script and the
$_SESSION['last-activity'] and $_SESSION['session_timeout'] variables

This also moves all the session_start() stuff to a single function that is
called only called at two places (in upper layer, not like by sql or file auth)

Settings - Accounts - acc: horizontally align the settings fields.

Classes/class-paneluser.php patch | blob | blame | history
api/timeout.php patch | blob | blame | history
cfg/defines.php patch | blob | blame | history
common.php patch | blob | blame | history
login/index.php patch | blob | blame | history
plugins/file_auth/file_auth.php patch | blob | blame | history
plugins/sql_auth/sql_auth.php patch | blob | blame | history
settings/user-edit.php patch | blob | blame | history

diff --git a/Classes/class-paneluser.php b/Classes/class-paneluser.php
index a13b6232c7d8050afd18a51d332b3a48461fb633..722f4f8114707a1019692704d3d8804c3d907c14 100644 (file)
--- a/Classes/class-paneluser.php
+++ b/Classes/class-paneluser.php
@@ -212,12 +212,7 @@ function create_new_user(array &$user) : bool
  */
 function unreal_get_current_user() : PanelUser|bool
 {
-       if (!isset($_SESSION))
-       {
-               session_set_cookie_params(3600);
-               session_start();
-       }
-       if (isset($_SESSION['id']))
+       if (isset($_SESSION) && isset($_SESSION['id']))
        {
                $user = new PanelUser(NULL, $_SESSION['id']);
                if ($user->id)
diff --git a/api/timeout.php b/api/timeout.php
index f53f64e94ae94feb23c504c1a728e1cf0b4237c5..fc589d3620ebce5cf20d76f736ad5ac62a8bf959 100644 (file)
--- a/api/timeout.php
+++ b/api/timeout.php
@@ -3,7 +3,7 @@
 include "../cfg/defines.php";
 session_start();
 //timeout after 10 mins of inactivity
-if (isset($_SESSION["id"]) && isset($_SESSION["last-activity"]) && time() - $_SESSION["last-activity"] < INACTIVITY_TIMEOUT)
+if (isset($_SESSION["id"]) && isset($_SESSION["last-activity"]) && time() - $_SESSION["last-activity"] < $_SESSION['session_timeout'])
     die(json_encode(['session' => 'active']));
 else
 {
diff --git a/cfg/defines.php b/cfg/defines.php
index ace955a6359ac0557faaef1653d86e768c049ad9..2639e1a791075b93950bff030d20e06fe95fc230 100644 (file)
--- a/cfg/defines.php
+++ b/cfg/defines.php
@@ -18,9 +18,3 @@ define('DEFAULT_CHAN_DETAIL_QUICK_BAN_REASON', "You have been removed from this
  * The version of our webpanel
  */
 define('WEBPANEL_VERSION', "1.0-git");
-
-/**
- * After how long to log a user out for inactivity
- * Set to 1 hour for now, will be customizable later.
- */
-define('INACTIVITY_TIMEOUT', 3600);
diff --git a/common.php b/common.php
index bfd0769038fe5cb8de56baa78b5c4a0af513d99f..c1c904a064c11a0212615ba571dd66b3bac9c271 100644 (file)
--- a/common.php
+++ b/common.php
@@ -189,6 +189,28 @@ function upgrade_check()
        }
 }
 
+function panel_start_session($user = false)
+{
+       if (!isset($_SESSION))
+       {
+               session_set_cookie_params(86400); // can't set this to session_timeout due to catch-22
+               session_start();
+       }
+
+       if ($user === false)
+       {
+               $user = unreal_get_current_user();
+               if ($user === false)
+                       return false;
+       }
+
+       $timeout = (INT)$user->user_meta['session_timeout'] ?? 3600;
+       if (!isset($_SESSION['session_timeout']))
+               $_SESSION['session_timeout'] = $timeout;
+
+       return true;
+}
+
 /* Now read the config, and redirect to install screen if we don't have it */
 $config_transition_unreal_server = false;
 if (!read_config_file())
@@ -252,6 +274,7 @@ $pages = [
        "News" => "news.php",
 ];
 
+panel_start_session();
 if (is_auth_provided())
 {
        $pages["Settings"]["Accounts"] = "settings";
diff --git a/login/index.php b/login/index.php
index 97cc98ad5f271e51096c3663fd95a68d0da68f14..32baa9a304aca5abcd1686b2b06059ffea526f78 100644 (file)
--- a/login/index.php
+++ b/login/index.php
@@ -1,4 +1,3 @@
-
 <?php
 require_once "../common.php";
 
@@ -37,10 +36,12 @@ if (!empty($_POST))
                /* not being too informative with the login error in case of attackers */
                if (isset($user->id) && $user->password_verify($_POST['password']))
                {
+                       /* SUCCESSFUL LOGIN */
+                       panel_start_session($user);
                        $_SESSION['id'] = $user->id;
                        $user->add_meta("last_login", date("Y-m-d H:i:s"));
                        Hook::run(HOOKTYPE_USER_LOGIN, $user);
-                       
+
                        /* Middle of install? Override redirect: */
                        if (!isset($config['unrealircd']) || empty($config['unrealircd']['host']))
                                $redirect = get_config("base_url")."settings/install2.php";
@@ -49,6 +50,7 @@ if (!empty($_POST))
                }
                else
                {
+                       /* LOGIN FAILED */
                        $fail = [
                                "login" => htmlspecialchars($_POST['username']),
                                "IP" => $_SERVER['REMOTE_ADDR']
diff --git a/plugins/file_auth/file_auth.php b/plugins/file_auth/file_auth.php
index eea39bce273e749810e0154518e64fb43ccc5bd6..07e45c92dafb8ef8936c69775c66711f2b2650ec 100644 (file)
--- a/plugins/file_auth/file_auth.php
+++ b/plugins/file_auth/file_auth.php
@@ -53,11 +53,6 @@ class file_auth
        public static function session_start($n)
        {
                $current_page = $_SERVER['REQUEST_URI'];
-               if (!isset($_SESSION))
-               {
-                       session_set_cookie_params(3600);
-                       session_start();
-               }
                if (!isset($_SESSION['id']) || empty($_SESSION))
                {
                        header("Location: ".get_config("base_url")."login/?redirect=".urlencode($current_page));
diff --git a/plugins/sql_auth/sql_auth.php b/plugins/sql_auth/sql_auth.php
index 8ec78df02fa0ef29e65bff54342d3e600bd5875b..6a879c02338798a190ed10c46baefc356ac36281 100644 (file)
--- a/plugins/sql_auth/sql_auth.php
+++ b/plugins/sql_auth/sql_auth.php
@@ -39,11 +39,6 @@ class sql_auth
        public static function session_start($n)
        {
                $current_page = $_SERVER['REQUEST_URI'];
-               if (!isset($_SESSION))
-               {
-                       session_set_cookie_params(3600);
-                       session_start();
-               }
                if (!isset($_SESSION['id']) || empty($_SESSION))
                {
                        
diff --git a/settings/user-edit.php b/settings/user-edit.php
index 4b9c6497124e082d6c4abc1f95be4612c2c23003..c6b0ab285db946db52f230840f1783ae520c1093 100644 (file)
--- a/settings/user-edit.php
+++ b/settings/user-edit.php
@@ -31,12 +31,15 @@ if ($postbutton && is_array($permissions) && $caneditpermissions
 
 if ($postbutton && $can_edit_profile)
 {
+    // Goes via core:
     $array['update_fname'] = (isset($_POST['first_name']) && strlen($_POST['first_name'])) ? $_POST['first_name'] : false;
     $array['update_lname'] = (isset($_POST['last_name']) && strlen($_POST['last_name'])) ? $_POST['last_name'] : false;
     $array['update_bio'] = (isset($_POST['bio']) && strlen($_POST['bio'])) ? $_POST['bio'] : false;
     $array['update_email'] = (isset($_POST['email']) && strlen($_POST['email'])) ? $_POST['email'] : false;
     $array['update_pass'] = (isset($_POST['password']) && strlen($_POST['password'])) ? $_POST['password'] : false;
     $array['update_pass_conf'] = (isset($_POST['passwordconfirm']) && strlen($_POST['passwordconfirm'])) ? $_POST['passwordconfirm'] : false;
+    // Goes via meta:
+    $session_timeout = (isset($_POST['session_timeout']) && strlen($_POST['session_timeout'])) ? $_POST['session_timeout'] : 3600;
 
     if (!$array['update_pass'])
     {
@@ -55,6 +58,7 @@ if ($postbutton && $can_edit_profile)
         unset($array['update_pass_conf']);
     }
     $edit_user->update_core_info($array);
+    $edit_user->add_meta("session_timeout", $session_timeout);
     $edit_user = new PanelUser($edit_user->username);
 }
 ?>
@@ -76,44 +80,50 @@ if ($postbutton && $can_edit_profile)
 <br><br>
 <div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 100px;">@</span>
+        <span class="input-group-text" style="width: 175px;">@</span>
     </div><input disabled type="text" class="form-control" name="username" id="username" placeholder="<?php echo $edit_user->username; ?>">
 </div>
 
 <div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 100px;">First Name</span>
+        <span class="input-group-text" style="width: 175px;">First Name</span>
     </div><input <?php echo $can_edit; ?> type="text" class="form-control" name="first_name" id="first_name" placeholder="<?php echo $edit_user->first_name; ?>">
 </div>
 
 
 <div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 100px;">Last Name</span>
+        <span class="input-group-text" style="width: 175px;">Last Name</span>
     </div><input <?php echo $can_edit; ?> type="text" class="form-control" name="last_name" id="last_name" placeholder="<?php echo $edit_user->last_name; ?>">
 </div>
 
 
 <div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 100px;">Bio</span>
+        <span class="input-group-text" style="width: 175px;">Bio</span>
     </div><textarea <?php echo $can_edit; ?> class="form-control" name="bio" id="username"><?php echo $edit_user->bio; ?></textarea>
 </div>
 
 
 <div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 100px;">Email</span>
+        <span class="input-group-text" style="width: 175px;">Email</span>
     </div><input <?php echo $can_edit; ?> type="text" class="form-control" name="email" id="email" autocomplete="off" value="<?php echo $edit_user->email; ?>">
 </div>
 
 <div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 150px;">New Password</span>
+        <span class="input-group-text" style="width: 175px;">Session timeout</span>
+    </div><input <?php echo $can_edit; ?> type="text" class="form-control" name="session_timeout" id="session_timeout" autocomplete="off" value="<?php echo $edit_user->user_meta['session_timeout'] ?? 3600; ?>">
+</div>
+
+<div class="input-group mb-3">
+    <div class="input-group-prepend">
+        <span class="input-group-text" style="width: 175px;">New Password</span>
     </div><input <?php echo $can_edit; ?> type="password" class="form-control" name="password" id="password" autocomplete="off">
 </div><div class="input-group mb-3">
     <div class="input-group-prepend">
-        <span class="input-group-text" style="width: 150px;">Confirm Password</span>
+        <span class="input-group-text" style="width: 175px;">Confirm Password</span>
     </div><input <?php echo $can_edit; ?> type="password" class="form-control" name="passwordconfirm" id="passwordconfirm" autocomplete="off">
 </div>
 
Unnamed repository; edit this file 'description' to name the repository.