From 0e3f8bdd0f6d4e4b1e95ee6750a9f6f6b34f986f Mon Sep 17 00:00:00 2001
From: Larry Meaney <larry_meaney@iname.com>
Date: Fri, 18 Oct 2019 22:53:06 -0700
Subject: [PATCH] Only create session when user successfully logs in

Also, enable session.use_strict_mode to prevent session fixation attacks
---
 auth_request.php                          | 22 +++++++++++-----------
 login.php                                 | 21 +++++++++++----------
 plugins/dynamix/include/local_prepend.php |  3 +++
 3 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/auth_request.php b/auth_request.php
index 194045c9d..783457d0a 100644
--- a/auth_request.php
+++ b/auth_request.php
@@ -1,18 +1,18 @@
 <?php
-session_name("unraid_".md5(strstr($_SERVER['HTTP_HOST'].':', ':', true)));
-session_set_cookie_params(0, '/; samesite=strict', null, array_key_exists('HTTPS', $_SERVER), true);
-session_start();
-
-// authorized
-if (isset($_SESSION["unraid_login"])) {
-  if (time() - $_SESSION['unraid_login'] > 300) {
-    $_SESSION['unraid_login'] = time();
+// only start the session if a session cookie exists
+if (isset($_COOKIE[session_name()])) {
+  session_start();
+  // authorized?
+  if (isset($_SESSION["unraid_login"])) {
+    if (time() - $_SESSION['unraid_login'] > 300) {
+      $_SESSION['unraid_login'] = time();
+    }
+    session_write_close();
+    http_response_code(200);
+    exit;
   }
   session_write_close();
-  http_response_code(200);
-  exit;
 }
-session_write_close();
 
 $arrWhitelist = [
   '/webGui/styles/clear-sans-bold-italic.eot',
diff --git a/login.php b/login.php
index 40c197a87..0ad04ae43 100644
--- a/login.php
+++ b/login.php
@@ -1,8 +1,4 @@
 <?php
-session_name("unraid_".md5(strstr($_SERVER['HTTP_HOST'].':', ':', true)));
-session_set_cookie_params(0, '/; samesite=strict', null, array_key_exists('HTTPS', $_SERVER), true);
-session_start();
-
 $docroot = $docroot ?? $_SERVER['DOCUMENT_ROOT'] ?: '/usr/local/emhttp';
 require_once "$docroot/webGui/include/Helpers.php";
 
@@ -11,9 +7,14 @@ $error = '';
 
 if ($_SERVER['REQUEST_URI'] == '/logout') {
     // User Logout
-    unset($_SESSION['unraid_login']);
-    unset($_SESSION['unraid_user']);
-    session_regenerate_id();
+    if (isset($_COOKIE[session_name()])) {
+        session_start();
+        // delete session file
+        session_destroy();
+        // delete the session cookie
+        $params = session_get_cookie_params();
+        setcookie(session_name(), '', 0, '/', $params['domain'], $params['secure'], isset($params['httponly']));
+    }
     $error = 'Successfully logged out';
 } else if (!empty($_POST['username']) && !empty($_POST['password'])) {
     // User Login attempt
@@ -22,10 +23,11 @@ if ($_SERVER['REQUEST_URI'] == '/logout') {
 
         // Validate credentials
         if ($_POST['username'] == $user && password_verify($_POST['password'], $pwhash)) {
-            // Successful login
+            // Successful login, start session
+            session_start();
             $_SESSION['unraid_login'] = time();
             $_SESSION['unraid_user'] = $_POST['username'];
-            session_regenerate_id();
+            session_regenerate_id(true);
             session_write_close();
             exec("logger -t webGUI ".escapeshellarg("Successful login user {$_POST['username']} from {$_SERVER['REMOTE_ADDR']}"));        
             header("Location: /".$var['START_PAGE']);
@@ -38,7 +40,6 @@ if ($_SERVER['REQUEST_URI'] == '/logout') {
     exec("logger -t webGUI ".escapeshellarg("Unsuccessful login user {$_POST['username']} from {$_SERVER['REMOTE_ADDR']}"));
 }
 
-session_write_close();
 
 $boot   = "/boot/config/plugins/dynamix";
 $myfile = "case-model.cfg";
diff --git a/plugins/dynamix/include/local_prepend.php b/plugins/dynamix/include/local_prepend.php
index 65a3b9d55..9b147ac21 100644
--- a/plugins/dynamix/include/local_prepend.php
+++ b/plugins/dynamix/include/local_prepend.php
@@ -22,6 +22,9 @@ putenv('PATH=.:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin');
 chdir('/usr/local/emhttp');
 setlocale(LC_ALL,'en_US.UTF-8');
 date_default_timezone_set(substr(readlink('/etc/localtime-copied-from'),20));
+ini_set("session.use_strict_mode", "1");
+session_name("unraid_".md5(strstr($_SERVER['HTTP_HOST'].':', ':', true)));
+session_set_cookie_params(0, '/; samesite=strict', null, array_key_exists('HTTPS', $_SERVER), true);
 if ($_SERVER['SCRIPT_NAME'] != '/login.php' && $_SERVER['SCRIPT_NAME'] != '/auth_request.php' && isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
     if (!isset($var)) $var = parse_ini_file('state/var.ini');
     if (!isset($var['csrf_token'])) csrf_terminate("uninitialized");