upstream/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2026-06-09 00:22:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
Icinga Web 2 - Interface web
14322 commits 138 branches 78 tags 82 MiB
PHP 83.2%
JavaScript 8.2%
HTML 4.6%
Less 4%
Find a file
Johannes Rauh 215d2ec108 Avoid storing full remember-me cookie in session during 2FA challenge 
Previously the `RememberMe` object (containing the AES-encrypted password and
the decryption key) was serialized directly into the PHP session while waiting
for the user to complete the 2FA challenge. Because PHP sessions are written
to disk in plaintext, this exposed the key and ciphertext in the same place,
sufficient to recover the user's password.

Fix by splitting the secret across the session and the database, mirroring the
design of the normal (non-2FA) remember-me flow:

- Call `persist()` at login time so the AES key goes to the database
  immediately, never touching the session.
- Store only the cookie value string (ciphertext + IV) in the session.
  The ciphertext is not exploitable without the key.
- After a successful 2FA challenge, reconstruct the `RememberMe` object via a
  new `RememberMe::fromCookieData()` factory that does a DB lookup by IV and
  restores the canonical expiry from the database row.
- Only then send the browser cookie, so the cookie never reaches the browser
  unless the second factor was verified.

Canceled challenges remove the created DB row, while abandoned challenges
leave an orphaned DB row which is cleaned up by the existing
`RememberMe::removeExpired()` mechanism.

`RememberMe::fromCookieData()` sets `$expiresAt` from the database row so
the browser cookie issued after 2FA inherits the expiry stored at login time
rather than receiving a fresh 30-day window computed at challenge-completion
time. The renewal path in `AuthenticationController::loginAction()` is
unaffected, because `renew()` constructs a new object via `fromCredentials()`.
2026-05-27 10:47:21 +02:00
.github tests: Use latest PHPUnit version 2026-03-19 22:27:45 +01:00
application Avoid storing full remember-me cookie in session during 2FA challenge 2026-05-27 10:47:21 +02:00
bin License source files as GPL-3.0-or-later 2026-03-26 17:49:26 +01:00
doc Document 2FA enrollment and login flow 2026-05-27 10:47:21 +02:00
etc/bash_completion.d Schema path is now always /usr/share/icingaweb2/schema 2023-01-09 16:14:15 +01:00
library/Icinga Avoid storing full remember-me cookie in session during 2FA challenge 2026-05-27 10:47:21 +02:00
modules login/setup: Use native autofocus on form inputs 2026-05-08 11:45:22 +02:00
public Add TwoFactorChallengeForm and login CSS 2026-05-26 15:27:51 +02:00
schema License source files as GPL-3.0-or-later 2026-03-26 17:49:26 +01:00
test JavaScript: Enhance dependency optimization 2026-05-04 16:17:20 +02:00
.gitattributes Export ignore 2023-01-09 16:13:30 +01:00
.gitignore Replace outdated test setup code with composer.json 2025-11-06 14:35:55 +01:00
.mailmap Update AUTHORS and .mailmap 2025-11-18 17:32:57 +01:00
AUTHORS Update AUTHORS and .mailmap 2025-11-18 17:32:57 +01:00
CHANGELOG.md Add 2.13.0 to CHANGELOG.md 2026-03-26 21:31:28 +01:00
composer.json Replace outdated test setup code with composer.json 2025-11-06 14:35:55 +01:00
CONTRIBUTING.md modules: Remove test module 2026-02-26 16:14:10 +01:00
icingaweb2.ruleset.xml doc: Remove monitoring module references 2026-04-24 10:00:09 +02:00
LICENSE.md Upgrade license to GPL-3.0-only 2026-03-26 17:45:56 +01:00
phpcs.xml travis: Add php syntax checks 2018-12-05 14:57:37 +01:00
phpstan-baseline.neon Clean up and merge PHPStan baselines 2026-03-20 14:52:40 +01:00
phpstan.neon Clean up and merge PHPStan baselines 2026-03-20 14:52:40 +01:00
phpunit.xml Move phpunit.xml 2025-11-06 13:55:19 +01:00
README.md doc: Remove monitoring module references 2026-04-24 10:00:09 +02:00
RELEASE.md RELEASE.md: remove obsolete Docker section 2023-11-14 11:23:48 +01:00
SECURITY.md Create SECURITY.md 2023-01-11 17:12:28 +01:00
VERSION Raise version to 2.13 2026-03-26 21:31:28 +01:00

README.md

Icinga Web 2

Icinga Logo

  1. About
  2. License
  3. Installation
  4. Documentation
  5. Support
  6. Contributing

About

Icinga Web 2 is the next generation open source monitoring web interface, framework and command-line interface developed by the Icinga GmbH, supporting Icinga 2, Icinga DB Web and many more modules.

Icinga Web 2 Monitoring Module with Graphite

License

Icinga Web 2 and the Icinga Web 2 documentation are licensed under the terms of the GNU General Public License Version 3. You will find a copy of this license in LICENSE.md included in the source package.

Installation

For installing Icinga Web 2 please check the installation chapter in the documentation.

Documentation

The documentation is located in the doc/ directory and also available on icinga.com/docs.

Support

Check the project website for status updates. Join the community channels for questions or ask an Icinga partner for professional support.

Contributing

There are many ways to contribute to Icinga -- whether it be sending patches, testing, reporting bugs, or reviewing and updating the documentation. Every contribution is appreciated!

Please continue reading in the contributing chapter.

Security Issues

For reporting security issues please visit this page.