Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2011-06-13 10:45:40

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Shouldn't logging out destroy current session key/hash (nonce)

As we know, every time you log into Textpattern, you will be given new session key (nonce). But shouldn’t that happen also when logging out?

As far as I see it, it shouldn’t cause any new issues, but it will further improve the security of the nonce, and will make the possible leftover cookie completely useless. For example in a case where the browser doesn’t trash the cookie as directed (etc).

Offline

#2 2011-06-13 11:40:08

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Shouldn't logging out destroy current session key/hash (nonce)

Oh, yeah. I could probably suggest a patch too. Something like this could kinda possibly serve the purpose.

--- development/4.x/textpattern/include/txp_auth.php	2011-06-13 14:07:50.000000000 +0300
+++ development/4.x/textpattern/include/txp_auth.php	2011-06-13 14:22:37.000000000 +0300
@@ -184,13 +184,29 @@
 			setcookie('txp_login', '', time()-3600);
 			setcookie('txp_login_public', '', time()-3600, $pub_path);
 		}
-		elseif ($c_userid and strlen($c_hash) == 32) // cookie exists
+
+		if ($c_userid and strlen($c_hash) == 32) // cookie exists
 		{
 			$nonce = safe_field('nonce', 'txp_users', "name='".doSlash($c_userid)."' AND last_access > DATE_SUB(NOW(), INTERVAL 30 DAY)");

 			if ($nonce and $nonce === md5($c_userid.pack('H*', $c_hash)))
 			{
-				// cookie is good, create $txp_user
+				// cookie is good, create $txp_user or log out
+
+				if ($logout)
+				{	
+					$c_hash = md5(uniqid(mt_rand(), TRUE));
+					$nonce  = md5($name.pack('H*',$c_hash));
+
+					safe_update(
+						'txp_users',
+						"nonce = '".doSlash($nonce)."'",
+						"name = '".doSlash($c_userid)."'"
+					);
+
+					return '';
+				}
+
 				$txp_user = $c_userid;
 				return '';
 			}

Edit. Patch not path stupid auto-correction, lol.

Last edited by Gocom (2011-06-13 11:42:19)

Offline

#3 2011-06-15 22:00:31

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,330
Website Mastodon

Re: Shouldn't logging out destroy current session key/hash (nonce)

Thanks, Jukka. Commited in r3571.

Offline

Board footer

Powered by FluxBB