Merge pull request #152 from gaudryc/fix_long_term_authentication_cookie_2

Fix long term authentication cookie (Part 2)

Author: gizmocuz

main/WebServer.cpp

@@ -14848,7 +14848,7 @@ namespace http {
 		}
 
 		/**
-		 * Retrieve user session from store
+		 * Retrieve user session from store, without remote host.
 		 */
 		const WebEmStoredSession CWebServer::GetSession(const std::string & sessionId) {
 			//_log.Log(LOG_STATUS, "SessionStore : get...");
@@ -14858,13 +14858,27 @@ namespace http {
 				_log.Log(LOG_ERROR, "SessionStore : cannot get session without id.");
 			} else {
 				std::vector<std::vector<std::string> > result;
-				result = m_sql.safe_query("SELECT SessionID, Username, AuthToken FROM UserSessions WHERE SessionID = '%q'",
+				result = m_sql.safe_query("SELECT SessionID, Username, AuthToken, ExpirationDate FROM UserSessions WHERE SessionID = '%q'",
 						sessionId.c_str());
 				if (result.size() > 0) {
 					session.id = result[0][0].c_str();
 					session.username = base64_decode(result[0][1]);
 					session.auth_token = result[0][2].c_str();
-					// ExpirationDate is not used to restore the session
+
+					std::string sExpirationDate = result[0][3];
+					time_t now = mytime(NULL);
+					struct tm tm1;
+					localtime_r(&now, &tm1);
+					struct tm tExpirationDate;
+					tExpirationDate.tm_isdst = tm1.tm_isdst;
+					tExpirationDate.tm_year = atoi(sExpirationDate.substr(0, 4).c_str()) - 1900;
+					tExpirationDate.tm_mon = atoi(sExpirationDate.substr(5, 2).c_str()) - 1;
+					tExpirationDate.tm_mday = atoi(sExpirationDate.substr(8, 2).c_str());
+					tExpirationDate.tm_hour = atoi(sExpirationDate.substr(11, 2).c_str());
+					tExpirationDate.tm_min = atoi(sExpirationDate.substr(14, 2).c_str());
+					tExpirationDate.tm_sec = atoi(sExpirationDate.substr(17, 2).c_str());
+					session.expires = mktime(&tExpirationDate);
+
 					// RemoteHost is not used to restore the session
 					// LastUpdate is not used to restore the session
 				}
@@ -14873,6 +14887,9 @@ namespace http {
 			return session;
 		}
 
+		/**
+		 * Save user session.
+		 */
 		void CWebServer::StoreSession(const WebEmStoredSession & session) {
 			//_log.Log(LOG_STATUS, "SessionStore : store...");
 			if (session.id.empty()) {
@@ -14899,14 +14916,17 @@ namespace http {
 					remote_host.c_str());
 			} else {
 				m_sql.safe_query(
-					"UPDATE UserSessions set AuthToken = '%q', ExpirationDate = '%q', RemoteHost = '%q' WHERE SessionID = '%q'",
+					"UPDATE UserSessions set AuthToken = '%q', ExpirationDate = '%q', RemoteHost = '%q', LastUpdate = datetime('now', 'localtime') WHERE SessionID = '%q'",
 					session.auth_token.c_str(),
 					szExpires,
 					remote_host.c_str(),
 					session.id.c_str());
 			}
 		}
 
+		/**
+		 * Remove user session and expired sessions.
+		 */
 		void CWebServer::RemoveSession(const std::string & sessionId) {
 			//_log.Log(LOG_STATUS, "SessionStore : remove...");
 			if (sessionId.empty()) {
@@ -14917,6 +14937,15 @@ namespace http {
 					sessionId.c_str());
 		}
 
+		/**
+		 * Remove all expired user sessions.
+		 */
+		void CWebServer::CleanSessions() {
+			//_log.Log(LOG_STATUS, "SessionStore : clean...");
+			m_sql.safe_query(
+					"DELETE FROM UserSessions WHERE ExpirationDate < datetime('now', 'localtime')");
+		}
+
 	} //server
 }//http
 

main/WebServer.h

@@ -77,6 +77,7 @@ class CWebServer : public session_store
 	const WebEmStoredSession GetSession(const std::string & sessionId);
 	void StoreSession(const WebEmStoredSession & session);
 	void RemoveSession(const std::string & sessionId);
+	void CleanSessions();
 
 private:
 	void HandleCommand(const std::string &cparam, WebEmSession & session, const request& req, Json::Value &root);

webserver/cWebem.cpp

@@ -902,6 +902,9 @@ void cWebem::SetZipPassword(std::string password)
 
 void cWebem::SetSessionStore(session_store* sessionStore) {
 	mySessionStore = sessionStore;
+	if (mySessionStore != NULL) {
+		mySessionStore->CleanSessions();
+	}
 }
 
 session_store* cWebem::GetSessionStore() {
@@ -1141,7 +1144,9 @@ std::string cWebemRequestHandler::generateSessionID()
 
 	std::string sessionId = GenerateMD5Hash(base64_encode((const unsigned char*)randomValue.c_str(), randomValue.size()));
 
-	//_log.Log(LOG_STATUS, "generate new session id token %s", sessionId.c_str());
+#ifdef _DEBUG
+	_log.Log(LOG_STATUS, "generate new session id token %s", sessionId.c_str());
+#endif
 
 	return sessionId;
 }
@@ -1158,6 +1163,7 @@ std::string cWebemRequestHandler::generateAuthToken(const WebEmSession & session
 	randomValue = ss.str();
 
 	std::string authToken = base64_encode((const unsigned char*)randomValue.c_str(), randomValue.size());
+
 #ifdef _DEBUG
 	_log.Log(LOG_STATUS, "generate new authentication token %s", authToken.c_str());
 #endif
@@ -1411,6 +1417,7 @@ bool cWebemRequestHandler::checkAuthToken(WebEmSession & session) {
 		removeAuthToken(session.id);
 		return false;
 	}
+
 #ifdef _DEBUG
 	//_log.Log(LOG_STATUS, "CheckAuthToken(%s_%s_%s) : user authenticated", session.id.c_str(), session.auth_token.c_str(), session.username.c_str());
 #endif
@@ -1419,6 +1426,7 @@ bool cWebemRequestHandler::checkAuthToken(WebEmSession & session) {
 		// Restore session if user exists and session does not already exist
 		bool userExists = false;
 		session.username = storedSession.username;
+		session.expires = storedSession.expires;
 		std::vector<_tWebUserPassword>::iterator ittu;
 		for (ittu=myWebem->m_userpasswords.begin(); ittu!=myWebem->m_userpasswords.end(); ++ittu) {
 			if (ittu->Username == session.username) { // the user still exists
@@ -1427,13 +1435,15 @@ bool cWebemRequestHandler::checkAuthToken(WebEmSession & session) {
 				break;
 			}
 		}
+
 		if (!userExists) {
 #ifdef _DEBUG
 			_log.Log(LOG_ERROR, "CheckAuthToken(%s_%s) : cannot restore session user not found", session.id.c_str(), session.auth_token.c_str());
 #endif
 			removeAuthToken(session.id);
 			return false;
 		}
+
 		std::map<std::string, WebEmSession>::iterator itts = myWebem->m_sessions.find(session.id);
 		if (itts == myWebem->m_sessions.end()) {
 #ifdef _DEBUG
@@ -1624,8 +1634,7 @@ void cWebemRequestHandler::handle_request( const std::string &sHost, const reque
 			if (myWebem->m_sessions[session.id].expires - 60 < atime)
 			{
 				myWebem->m_sessions[session.id].expires = atime + SESSION_TIMEOUT;
-				session.expires = myWebem->m_sessions[session.id].expires;
-				myWebem->m_sessions[session.id].auth_token = generateAuthToken(session, req); // do it after expires to save it also
+				myWebem->m_sessions[session.id].auth_token = generateAuthToken(myWebem->m_sessions[session.id], req); // do it after expires to save it also
 				send_cookie(rep, myWebem->m_sessions[session.id]);
 			}
 		}

webserver/session_store.hpp

@@ -20,7 +20,7 @@ typedef struct _tWebEmStoredSession {
 } WebEmStoredSession;
 
 /**
- * Gives access to the user session datastore.
+ * Gives access to the user session store.
  */
 class session_store {
 public:
@@ -38,6 +38,11 @@ class session_store {
 	 * Remove user session from store
 	 */
 	virtual void RemoveSession(const std::string & sessionId)=0;
+
+	/**
+	 * Remove expired user sessions from store
+	 */
+	virtual void CleanSessions()=0;
 };
 
 }