upstream/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2026-06-11 09:31:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
icingaweb2/library/Icinga/Web/RememberMe.php
Johannes Rauh 215d2ec108 Avoid storing full remember-me cookie in session during 2FA challenge 
Previously the `RememberMe` object (containing the AES-encrypted password and
the decryption key) was serialized directly into the PHP session while waiting
for the user to complete the 2FA challenge. Because PHP sessions are written
to disk in plaintext, this exposed the key and ciphertext in the same place,
sufficient to recover the user's password.

Fix by splitting the secret across the session and the database, mirroring the
design of the normal (non-2FA) remember-me flow:

- Call `persist()` at login time so the AES key goes to the database
  immediately, never touching the session.
- Store only the cookie value string (ciphertext + IV) in the session.
  The ciphertext is not exploitable without the key.
- After a successful 2FA challenge, reconstruct the `RememberMe` object via a
  new `RememberMe::fromCookieData()` factory that does a DB lookup by IV and
  restores the canonical expiry from the database row.
- Only then send the browser cookie, so the cookie never reaches the browser
  unless the second factor was verified.

Canceled challenges remove the created DB row, while abandoned challenges
leave an orphaned DB row which is cleaned up by the existing
`RememberMe::removeExpired()` mechanism.

`RememberMe::fromCookieData()` sets `$expiresAt` from the database row so
the browser cookie issued after 2FA inherits the expiry stored at login time
rather than receiving a fresh 30-day window computed at challenge-completion
time. The renewal path in `AuthenticationController::loginAction()` is
unaffected, because `renew()` constructs a new object via `fromCredentials()`.
2026-05-27 10:47:21 +02:00

395 lines
9.8 KiB
PHP
Raw Permalink Blame History

<?php
// SPDX-FileCopyrightText: 2021 Icinga GmbH <https://icinga.com>
// SPDX-License-Identifier: GPL-3.0-or-later
namespace Icinga\Web;
use Icinga\Application\Config;
use Icinga\Authentication\Auth;
use Icinga\Crypt\AesCrypt;
use Icinga\Common\Database;
use Icinga\User;
use ipl\Sql\Expression;
use ipl\Sql\Select;
use RuntimeException;
/**
* Remember me component
*
* Retains credentials for 30 days by default in order to stay signed in even after the session is closed.
*/
class RememberMe
{
use Database;
/** @var string Cookie name */
const COOKIE = 'icingaweb2-remember-me';
/** @var string Database table name */
const TABLE = 'icingaweb_rememberme';
/** @var string Encrypted password of the user */
protected $encryptedPassword;
/** @var string */
protected $username;
/** @var AesCrypt Instance for encrypting/decrypting the credentials */
protected $aesCrypt;
/** @var int Timestamp when the remember me cookie expires */
protected $expiresAt;
/**
* Get whether staying logged in is possible
*
* @return bool
*/
public static function isSupported()
{
$self = new self();
if (! $self->hasDb()) {
return false;
}
try {
(new AesCrypt())->getMethod();
} catch (RuntimeException $_) {
return false;
}
return true;
}
/**
* Get whether the remember cookie is set
*
* @return bool
*/
public static function hasCookie()
{
return isset($_COOKIE[static::COOKIE]);
}
/**
* Remove the database entry if exists and unset the remember me cookie from PHP's `$_COOKIE` superglobal
*
* @return Cookie The invalidation cookie which has to be sent to client in oder to remove the remember me cookie
*/
public static function forget()
{
if (self::hasCookie()) {
$data = explode('|', $_COOKIE[static::COOKIE]);
$iv = base64_decode(array_pop($data));
(new self())->remove(bin2hex($iv));
}
unset($_COOKIE[static::COOKIE]);
return (new Cookie(static::COOKIE))
->setHttpOnly(true)
->forgetMe();
}
/**
* Create the remember me component from the remember me cookie
*
* @return static
*/
public static function fromCookie(): static
{
return static::fromCookieData($_COOKIE[static::COOKIE]);
}
/**
* Create the remember me component from cookie data
*
* @param string $data The cookie data
*
* @return static
*/
public static function fromCookieData(string $data): static
{
$data = explode('|', $data);
$iv = base64_decode(array_pop($data));
$select = (new Select())
->from(static::TABLE)
->columns('*')
->where(['random_iv = ?' => bin2hex($iv)]);
$rememberMe = new static();
$rs = $rememberMe->getDb()->select($select)->fetch();
if (! $rs) {
throw new RuntimeException(sprintf(
"No database entry found for IV '%s'",
bin2hex($iv)
));
}
$rememberMe->aesCrypt = (new AesCrypt())
->setKey(hex2bin($rs->passphrase))
->setIV($iv);
if (count($data) > 1) {
$rememberMe->aesCrypt->setTag(
base64_decode(array_pop($data))
);
} elseif ($rememberMe->aesCrypt->isAuthenticatedEncryptionRequired()) {
throw new RuntimeException(
"The given decryption method needs a tag, but is not specified. "
. "You have probably updated the PHP version."
);
}
$rememberMe->username = $rs->username;
$rememberMe->encryptedPassword = $data[0];
$rememberMe->expiresAt = strtotime($rs->expires_at);
return $rememberMe;
}
/**
* Create the remember me component from the given username and password
*
* @param string $username
* @param string $password
*
* @return static
*/
public static function fromCredentials($username, $password)
{
$aesCrypt = new AesCrypt();
$rememberMe = new static();
$rememberMe->encryptedPassword = $aesCrypt->encrypt($password);
$rememberMe->username = $username;
$rememberMe->aesCrypt = $aesCrypt;
return $rememberMe;
}
/**
* Remove expired remember me information from the database
*/
public static function removeExpired()
{
$rememberMe = new static();
if (! $rememberMe->hasDb()) {
return;
}
$rememberMe->getDb()->delete(static::TABLE, [
'expires_at < NOW()'
]);
}
/**
* Get the remember me cookie
*
* @return Cookie
*/
public function getCookie()
{
$values = [
$this->encryptedPassword,
base64_encode($this->aesCrypt->getIV()),
];
if ($this->aesCrypt->isAuthenticatedEncryptionRequired()) {
array_splice($values, 1, 0, base64_encode($this->aesCrypt->getTag()));
}
return (new Cookie(static::COOKIE))
->setExpire($this->getExpiresAt())
->setHttpOnly(true)
->setValue(implode('|', $values));
}
/**
* Get the timestamp when the cookie expires
*
* Defaults to now plus 30 days, if not set via {@link setExpiresAt()}.
*
* @return int
*/
public function getExpiresAt()
{
if ($this->expiresAt === null) {
$this->expiresAt = time() + 60 * 60 * 24 * 30;
}
return $this->expiresAt;
}
/**
* Set the timestamp when the cookie expires
*
* @param int $expiresAt
*
* @return $this
*/
public function setExpiresAt($expiresAt)
{
$this->expiresAt = $expiresAt;
return $this;
}
/**
* Authenticate via the remember me cookie
*
* @return bool
*
* @throws \Icinga\Exception\AuthenticationException
*/
public function authenticate()
{
$auth = Auth::getInstance();
$authChain = $auth->getAuthChain();
$authChain->setSkipExternalBackends(true);
$user = new User($this->username);
if (! $user->hasDomain()) {
$user->setDomain(Config::app()->get('authentication', 'default_domain'));
}
$authenticated = $authChain->authenticate(
$user,
$this->aesCrypt->decrypt($this->encryptedPassword)
);
if ($authenticated) {
$auth->setAuthenticated($user);
}
return $authenticated;
}
/**
* Persist the remember me information into the database
*
* To remove any previous stored information, set the iv
*
* @param string|null $iv To remove a specific iv record from the database
*
* @return $this
*/
public function persist($iv = null)
{
if ($iv) {
$this->remove(bin2hex($iv));
}
$this->getDb()->insert(static::TABLE, [
'username' => $this->username,
'passphrase' => bin2hex($this->aesCrypt->getKey()),
'random_iv' => bin2hex($this->aesCrypt->getIV()),
'http_user_agent' => (new UserAgent)->getAgent(),
'expires_at' => date('Y-m-d H:i:s', $this->getExpiresAt()),
'ctime' => new Expression('NOW()'),
'mtime' => new Expression('NOW()')
]);
return $this;
}
/**
* Remove remember me information from the database on the basis of iv
*
* @param string $iv
*
* @return $this
*/
public function remove($iv)
{
$this->getDb()->delete(static::TABLE, [
'random_iv = ?' => $iv
]);
return $this;
}
/**
* Remove all remember me entries for the given user from the database
*
* @param string $username
*
* @return void
*/
public static function removeAllByUsername(string $username): void
{
$rememberMe = new static();
if (! $rememberMe->hasDb()) {
return;
}
$rememberMe->getDb()->delete(static::TABLE, ['username = ?' => $username]);
}
/**
* Create renewed remember me cookie
*
* @return static New remember me cookie which has to be sent to the client
*/
public function renew()
{
return static::fromCredentials(
$this->username,
$this->aesCrypt->decrypt($this->encryptedPassword)
);
}
/**
* Get all users using remember me cookie
*
* @return array Array of users
*/
public static function getAllUser()
{
$rememberMe = new static();
if (! $rememberMe->hasDb()) {
return [];
}
$select = (new Select())
->from(static::TABLE)
->columns('username')
->groupBy('username');
return $rememberMe->getDb()->select($select)->fetchAll();
}
/**
* Get all remember me entries from the database of the given user.
*
* @param $username
*
* @return array Array of database entries
*/
public static function getAllByUsername($username)
{
$rememberMe = new static();
if (! $rememberMe->hasDb()) {
return [];
}
$select = (new Select())
->from(static::TABLE)
->columns(['http_user_agent', 'random_iv'])
->where(['username = ?' => $username]);
return $rememberMe->getDb()->select($select)->fetchAll();
}
/**
* Get the AesCrypt instance
*
* @return AesCrypt
*/
public function getAesCrypt()
{
return $this->aesCrypt;
}
}
Reference in a new issue View git blame Copy permalink