Merge pull request #657 from eurich/admin_security

Admin security enhancements

install/install_1-0_mysql.sql

@@ -1776,6 +1776,7 @@ VALUES ('elkVersion', '{$current_version}'),
 	('send_validation_onChange', '0'),
 	('send_welcomeEmail', '1'),
 	('allow_editDisplayName', '1'),
+	('admin_session_lifetime', '10'),
 	('allow_hideOnline', '1'),
 	('guest_hideContacts', '1'),
 	('spamWaitTime', '5'),

install/install_1-0_postgresql.sql

@@ -2269,6 +2269,7 @@ INSERT INTO {$db_prefix}settings (variable, value) VALUES ('registration_method'
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('send_validation_onChange', '0');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('send_welcomeEmail', '1');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('allow_editDisplayName', '1');
+INSERT INTO {$db_prefix}settings (variable, value) VALUES ('admin_session_lifetime', '10');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('allow_hideOnline', '1');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('guest_hideContacts', '1');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('spamWaitTime', '5');

install/install_1-0_sqlite.sql

@@ -1922,6 +1922,7 @@ INSERT INTO {$db_prefix}settings (variable, value) VALUES ('registration_method'
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('send_validation_onChange', '0');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('send_welcomeEmail', '1');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('allow_editDisplayName', '1');
+INSERT INTO {$db_prefix}settings (variable, value) VALUES ('admin_session_lifetime', '10');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('allow_hideOnline', '1');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('guest_hideContacts', '1');
 INSERT INTO {$db_prefix}settings (variable, value) VALUES ('spamWaitTime', '5');

install/upgrade_elk_1-0_mysql.sql

@@ -34,6 +34,7 @@ INSERT IGNORE INTO {$db_prefix}settings
 VALUES
 	('avatar_default', '0'),
 	('gravatar_rating', 'g'),
+	('admin_session_lifetime', 10),
 	('xmlnews_limit', 5),
 	('visual_verification_num_chars', '6'),
 	('enable_disregard', 0),

install/upgrade_elk_1-0_postgresql.sql

@@ -41,6 +41,10 @@ VALUES
 	('gravatar_rating', 'g');
 INSERT IGNORE INTO {$db_prefix}settings
 	(variable, value)
+VALUES
+	('admin_session_lifetime', 10);
+INSERT IGNORE INTO {$db_prefix}settings
+	(variable, value)
 VALUES
 	('xmlnews_limit', 5);
 INSERT IGNORE INTO {$db_prefix}settings

install/upgrade_elk_1-0_sqlite.sql

@@ -39,6 +39,10 @@ VALUES
 	('gravatar_rating', 'g');
 INSERT IGNORE INTO {$db_prefix}settings
 	(variable, value)
+VALUES
+	('admin_session_lifetime', 10);
+INSERT IGNORE INTO {$db_prefix}settings
+	(variable, value)
 VALUES
 	('xmlnews_limit', 5);
 INSERT IGNORE INTO {$db_prefix}settings

sources/Security.php

@@ -42,8 +42,27 @@ function validateSession($type = 'admin')
 	call_integration_hook('integrate_validateSession', array(&$types));
 	$type = in_array($type, $types) || $type == 'moderate' ? $type : 'admin';
 
+	// Set the lifetime for our admin session. Default is ten minutes.
+	$refreshTime =  600;
+
+	if (isset($modSettings['admin_session_lifetime']))
+	{
+		// Maybe someone is paranoid or mistakenly misconfigured the param? Give them at least 5 minutes.
+		if ($modSettings['admin_session_lifetime'] < 5)
+			$refreshTime = 300;
+
+		// A whole day should be more than enough..
+		elseif ($modSettings['admin_session_lifetime'] > 14400)
+			$refreshTime = 86400;
+
+		// We are between our internal min and max. Let's keep the board owner's value.
+		else
+			$refreshTime = $modSettings['admin_session_lifetime'] * 60;
+	}
+
 	// If we're using XML give an additional ten minutes grace as an admin can't log on in XML mode.
-	$refreshTime = isset($_GET['xml']) ? 4200 : 3600;
+	if (isset($_GET['xml']))
+		$refreshTime += 600;
 
 	// Is the security option off?
 	if (!empty($modSettings['securityDisable' . ($type != 'admin' ? '_' . $type : '')]))

sources/Subs.php

@@ -3034,7 +3034,7 @@ function template_rawdata()
  */
 function template_header()
 {
-	global $txt, $modSettings, $context, $settings, $user_info;
+	global $txt, $modSettings, $context, $settings, $user_info, $scripturl;
 
 	setupThemeContext();
 
@@ -3118,6 +3118,9 @@ function template_header()
 		</div>';
 			}
 		}
+		if (in_array($layer, array('body', 'main')) && allowedTo('admin_forum') && !$user_info['is_guest'] && (isset($_SESSION['admin_time']) && $_SESSION['admin_time'] + ($modSettings['admin_session_lifetime'] * 60) > mktime()))
+			echo '<div class="noticebox">', sprintf($txt['admin_session_active'], ($scripturl . '?action=admin;area=adminlogoff;' . $context['session_var'] . '=' . $context['session_id'])), '</div>';
+
 		// If the user is banned from posting inform them of it.
 		elseif (in_array($layer, array('main', 'body')) && isset($_SESSION['ban']['cannot_post']) && !$showed_banned)
 		{

sources/admin/ManageSecurity.php

@@ -175,6 +175,8 @@ private function _initSecuritySettingsForm()
 				array('check', 'enableErrorLogging'),
 				array('check', 'enableErrorQueryLogging'),
 			'',
+				array('int', 'admin_session_lifetime'),
+				array('check', 'auto_admin_session'),
 				array('check', 'securityDisable'),
 				array('check', 'securityDisable_moderate'),
 			'',

sources/controllers/Auth.controller.php

@@ -366,7 +366,7 @@ public function action_login2()
  	*/
 	public function action_logout($internal = false, $redirect = true)
 	{
-		global $user_info, $user_settings, $context, $modSettings;
+		global $user_info, $user_settings, $context;
 
 		// Make sure they aren't being auto-logged out.
 		if (!$internal)
@@ -394,6 +394,9 @@ public function action_logout($internal = false, $redirect = true)
 			logOnline($user_info['id'], false);
 		}
 
+		// Logout? Let's kill the admin session, too. 
+		unset($_SESSION['admin_time']);
+
 		$_SESSION['log_time'] = 0;
 
 		// Empty the cookie! (set it in the past, and for id_member = 0)
@@ -468,7 +471,7 @@ public function action_maintenance_mode()
 	 */
 	public function action_salt()
 	{
-		global $user_info, $user_settings, $context;
+		global $user_info, $user_settings, $context, $cookiename;
 
 		// we deal only with logged in folks in here!
 		if (!$user_info['is_guest'])
@@ -497,7 +500,7 @@ public function action_salt()
 	 */
 	public function action_check()
 	{
-		global $user_info, $modSettings;
+		global $user_info, $modSettings, $user_settings;
 
 		// Only our members, please.
 		if (!$user_info['is_guest'])
@@ -621,7 +624,10 @@ function doLogin()
 	// An administrator, set up the login so they don't have to type it again.
 	if ($user_info['is_admin'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri']))
 	{
-		$_SESSION['admin_time'] = time();
+		// Let's validate if they really want..
+		if (!empty($modSettings['auto_admin_session']) && $modSettings['auto_admin_session'] == 1)
+			$_SESSION['admin_time'] = time();
+
 		unset($_SESSION['just_registered']);
 	}
 

themes/default/Login.template.php

@@ -47,9 +47,9 @@ function template_login()
 	echo '
 				<dl>
 					<dt>', $txt['username'], ':</dt>
-					<dd><input type="text" name="user" size="20" value="', $context['default_username'], '" class="input_text" /></dd>
+					<dd><input type="text" name="user" size="20" value="', $context['default_username'], '" class="input_text" autofocus="autofocus" placeholder="', $txt['username'], '" /></dd>
 					<dt>', $txt['password'], ':</dt>
-					<dd><input type="password" name="passwrd" value="', $context['default_password'], '" size="20" class="input_password" /></dd>
+					<dd><input type="password" name="passwrd" value="', $context['default_password'], '" size="20" class="input_password" placeholder="', $txt['password'], '" /></dd>
 				</dl>';
 
 	if (!empty($modSettings['enableOpenID']))
@@ -231,7 +231,7 @@ function template_admin_login()
 
 	echo '
 			<strong>', $txt['password'], ':</strong>
-			<input type="password" name="', $context['sessionCheckType'], '_pass" size="24" class="input_password" />
+			<input type="password" name="', $context['sessionCheckType'], '_pass" size="24" class="input_password"  autofocus="autofocus" placeholder="', $txt['password'], '"/>
 			<a href="', $scripturl, '?action=quickhelp;help=securityDisable_why" onclick="return reqOverlayDiv(this.href);" class="help"><img class="icon" src="', $settings['images_url'], '/helptopics.png" alt="', $txt['help'], '" /></a><br />
 			<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />
 			<input type="hidden" name="', $context['admin-login_token_var'], '" value="', $context['admin-login_token'], '" />

themes/default/languages/Help.english.php

@@ -369,6 +369,8 @@
 	Using this option will allow you to access the forum\'s cookie on your site.  Do not enable this if there are other subdomains (like hacker.elkarte.net) not controlled by you.';
 $helptxt['globalCookiesDomain'] = 'Define the main domain to be used when log in cookies are available across subdomains';
 $helptxt['secureCookies'] = 'Enabling this option will force the cookies created for users on your forum to be marked as secure. Only enable this option if you are using HTTPS throughout your site as it will break cookie handling otherwise!';
+$helptxt['admin_session_lifetime'] = 'This controls the length of time an admin session can remain active. Once this timer expires the session will end, requiring you to enter your admin credentials to continue accessing the admin area. The minimum value is 5 minutes, the maximum allowed value is 14400 minutes (a day). It is strongly recommended to use a value less than 60 minutes for security reasons.';
+$helptxt['auto_admin_session'] = 'This controls  whether an administrative session is activated during logon or not.';
 $helptxt['securityDisable'] = 'This <em>disables</em> the additional password check for the administration section. This is not recommended!';
 $helptxt['securityDisable_why'] = 'This is your current password. (the same one you use to login.)<br /><br />Having to type this helps ensure that you want to do whatever administration you are doing, and that it is <strong>you</strong> doing it.';
 $helptxt['securityDisable_moderate'] = 'This <em>disables</em> the additional password check for the moderation section. This is not recommended!';

themes/default/languages/ManageSettings.english.php

@@ -59,6 +59,8 @@
 $txt['secureCookies_note'] = '(This only applies if you are using HTTPS - don\'t use otherwise!)';
 $txt['httponlyCookies'] = 'Force cookies to be made accessible only through the HTTP protocol';
 $txt['httponlyCookies_note'] = '(Cookies won\'t be accessible by scripting languages, such as JavaScript. This setting can help to reduce identity theft through XSS attacks.)';
+$txt['admin_session_lifetime'] = 'Number of minutes an admin session stays active';
+$txt['auto_admin_session'] = 'Automatically start an admin session on logon';
 $txt['securityDisable'] = 'Disable administration security';
 $txt['securityDisable_moderate'] = 'Disable moderation security';
 $txt['send_validation_onChange'] = 'Require reactivation after email change';

themes/default/languages/index.english.php

@@ -190,6 +190,7 @@
 $txt['welcome_member'] = 'Please welcome'; //Deprecated
 $txt['welcome_newest_member'] = 'Please welcome %1$s, our newest member.';
 $txt['admin_center'] = 'Administration Center';
+$txt['admin_session_active'] = 'You have an active admin session in place. We recommend to <strong><a class="strong" href="%1$s">end this session</a></strong> once you have finished your administrative tasks.';
 $txt['last_edit'] = 'Last Edit'; //Deprecated
 $txt['last_edit_by'] = '<span class="lastedit">Last Edit</span>: %1$s by %2$s';
 $txt['notify_deactivate'] = 'Would you like to deactivate notification on this topic?';