From f2f4cdbe6ab8381efa86db1c7dd5eda37e79e554 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 16 Jan 2023 11:48:34 +0100 Subject: [PATCH] NEW Invalidate all sessions of a user when password is modified. --- htdocs/core/login/functions_dolibarr.php | 12 ------------ htdocs/langs/en_US/errors.lang | 2 ++ htdocs/main.inc.php | 21 +++++++++++++++------ htdocs/user/card.php | 14 ++++++++++++++ htdocs/user/class/user.class.php | 3 +++ 5 files changed, 34 insertions(+), 18 deletions(-) diff --git a/htdocs/core/login/functions_dolibarr.php b/htdocs/core/login/functions_dolibarr.php index b732d2ef64b..5f4b722ea1c 100644 --- a/htdocs/core/login/functions_dolibarr.php +++ b/htdocs/core/login/functions_dolibarr.php @@ -91,18 +91,6 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes dol_syslog("functions_dolibarr::check_user_password_dolibarr bad date end validity", LOG_WARNING); return '--bad-login-validity--'; } - // If there is an invalidation date, check that the current session date is not before this date - if ($obj->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"])) { - dol_syslog("functions_dolibarr::check_user_password_dolibarr user has a date for session invalidation = ".$obj->flagdelsessionsbefore." and session date = ".$_SESSION["dol_logindate"]); - $datetmp = $db->jdate($obj->flagdelsessionsbefore, 'gmt'); - if ($datetmp > $now) { - // Load translation files required by the page - $langs->loadLangs(array('main', 'errors')); - $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorSessionInvalidatedAfterPasswordChange"); - dol_syslog("functions_dolibarr::check_user_password_dolibarr session was invalidated", LOG_WARNING); - return '--bad-login-validity--'; - } - } $passclear = $obj->pass; $passcrypted = $obj->pass_crypted; diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index b3eeae4606b..b779c901b54 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -303,6 +303,7 @@ ErrorValueForTooLow=Value for %s is too low ErrorValueCantBeNull=Value for %s can't be null ErrorDateOfMovementLowerThanDateOfFileTransmission=The date of the bank transaction can't be lower than the date of the file transmission ErrorTooMuchFileInForm=Too much files in form, the maximum number is %s file(s) +ErrorSessionInvalidatedAfterPasswordChange=The session was invalidated after a password change. Please relogin. # Warnings WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup. @@ -325,6 +326,7 @@ WarningPaymentDateLowerThanInvoiceDate=Payment date (%s) is earlier than invoice WarningTooManyDataPleaseUseMoreFilters=Too many data (more than %s lines). Please use more filters or set the constant %s to a higher limit. WarningSomeLinesWithNullHourlyRate=Some times were recorded by some users while their hourly rate was not defined. A value of 0 %s per hour was used but this may result in wrong valuation of time spent. WarningYourLoginWasModifiedPleaseLogin=Your login was modified. For security purpose you will have to login with your new login before next action. +WarningYourPasswordWasModifiedPleaseLogin=Your password was modified. For security purpose you will have to login now with your new password. WarningAnEntryAlreadyExistForTransKey=An entry already exists for the translation key for this language WarningNumberOfRecipientIsRestrictedInMassAction=Warning, number of different recipient is limited to %s when using the mass actions on lists WarningDateOfLineMustBeInExpenseReportRange=Warning, the date of line is not in the range of the expense report diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 7d764d4a105..b53688de6e7 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -943,26 +943,35 @@ if (!defined('NOLOGIN')) { dol_syslog("- This is an already logged session. _SESSION['dol_login']=".$login." _SESSION['dol_entity']=".$entity, LOG_DEBUG); $resultFetchUser = $user->fetch('', $login, '', 1, ($entity > 0 ? $entity : -1)); - if ($resultFetchUser <= 0) { - // Account has been removed after login - dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING); + if ($resultFetchUser <= 0 || ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"])) { + if ($resultFetchUser <= 0) { + // Account has been removed after login + dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING); + } else { + // Session is no more valid + dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions."); + } session_destroy(); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie session_name($sessionname); session_start(); if ($resultFetchUser == 0) { - // Load translation files required by page $langs->loadLangs(array('main', 'errors')); $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorCantLoadUserFromDolibarrDatabase", $login); $user->trigger_mesg = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login; - } - if ($resultFetchUser < 0) { + } elseif ($resultFetchUser < 0) { $_SESSION["dol_loginmesg"] = $user->error; $user->trigger_mesg = $user->error; + } else { + $langs->loadLangs(array('main', 'errors')); + + $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorSessionInvalidatedAfterPasswordChange"); + + $user->trigger_mesg = 'ErrorUserSessionWasInvalidated - login='.$login; } // Call trigger diff --git a/htdocs/user/card.php b/htdocs/user/card.php index b7254def46a..602bc25eb3a 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -521,6 +521,13 @@ if (empty($reshook)) { } if (!$error) { + $passwordismodified = 0; + if (!empty($object->pass)) { + if ($object->pass != $object->pass_indatabase && !dol_verifyHash($object->pass, $object->pass_indatabase_crypted)) { + $passwordismodified = 1; + } + } + $ret = $object->update($user); // This may include call to setPassword if password has changed if ($ret < 0) { $error++; @@ -615,6 +622,13 @@ if (empty($reshook)) { $langs->load("errors"); setEventMessages($langs->transnoentitiesnoconv("WarningYourLoginWasModifiedPleaseLogin"), null, 'warnings'); } + if ($passwordismodified && $object->login == $user->login) { // Current user has changed its password + $error++; + $langs->load("errors"); + setEventMessages($langs->transnoentitiesnoconv("WarningYourPasswordWasModifiedPleaseLogin"), null, 'warnings'); + header("Location: ".DOL_URL_ROOT.'/user/card.php?id='.$object->id); + exit; + } } else { $db->rollback(); } diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index d7b93d323e1..22556d3e1c2 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -276,6 +276,7 @@ class User extends CommonObject public $datelastlogin; public $datepreviouslogin; + public $flagdelsessionsbefore; public $iplastlogin; public $ippreviouslogin; public $datestartvalidity; @@ -441,6 +442,7 @@ class User extends CommonObject $sql .= " u.tms as datem,"; $sql .= " u.datelastlogin as datel,"; $sql .= " u.datepreviouslogin as datep,"; + $sql .= " u.flagdelsessionsbefore,"; $sql .= " u.iplastlogin,"; $sql .= " u.ippreviouslogin,"; $sql .= " u.datelastpassvalidation,"; @@ -575,6 +577,7 @@ class User extends CommonObject $this->datem = $this->db->jdate($obj->datem); $this->datelastlogin = $this->db->jdate($obj->datel); $this->datepreviouslogin = $this->db->jdate($obj->datep); + $this->flagdelsessionsbefore = $this->db->jdate($obj->flagdelsessionsbefore, 'gmt'); $this->iplastlogin = $obj->iplastlogin; $this->ippreviouslogin = $obj->ippreviouslogin; $this->datestartvalidity = $this->db->jdate($obj->datestartvalidity);