Security: Give admins the ability whether an admin session will be in…

…itialized during logon or not.. Signed-off-by:Thorsten Eurich <thorsten@eurich.de>
eurich · Jul 14, 2013 · abd843e · abd843e
1 parent 495503b
commit abd843e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/sources/admin/ManageSecurity.php b/sources/admin/ManageSecurity.php
@@ -176,6 +176,7 @@ private function _initSecuritySettingsForm()
 				array('check', 'enableErrorQueryLogging'),
 			'',
 				array('int', 'admin_session_lifetime'),
+				array('check', 'auto_admin_session'),
 				array('check', 'securityDisable'),
 				array('check', 'securityDisable_moderate'),
 			'',

diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php
@@ -366,7 +366,7 @@ public function action_login2()
  	*/
 	public function action_logout($internal = false, $redirect = true)
 	{
-		global $user_info, $user_settings, $context, $modSettings;
+		global $user_info, $user_settings, $context;
 
 		// Make sure they aren't being auto-logged out.
 		if (!$internal)
@@ -394,6 +394,9 @@ public function action_logout($internal = false, $redirect = true)
 			logOnline($user_info['id'], false);
 		}
 
+		// Logout? Let's kill the admin session, too. 
+		unset($_SESSION['admin_time']);
+
 		$_SESSION['log_time'] = 0;
 
 		// Empty the cookie! (set it in the past, and for id_member = 0)
@@ -468,7 +471,7 @@ public function action_maintenance_mode()
 	 */
 	public function action_salt()
 	{
-		global $user_info, $user_settings, $context;
+		global $user_info, $user_settings, $context, $cookiename;
 
 		// we deal only with logged in folks in here!
 		if (!$user_info['is_guest'])
@@ -497,7 +500,7 @@ public function action_salt()
 	 */
 	public function action_check()
 	{
-		global $user_info, $modSettings;
+		global $user_info, $modSettings, $user_settings;
 
 		// Only our members, please.
 		if (!$user_info['is_guest'])
@@ -621,7 +624,10 @@ function doLogin()
 	// An administrator, set up the login so they don't have to type it again.
 	if ($user_info['is_admin'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri']))
 	{
-		$_SESSION['admin_time'] = time();
+		// Let's validate if they really want..
+		if (!empty($modSettings['auto_admin_session']) && $modSettings['auto_admin_session'] == 1)
+			$_SESSION['admin_time'] = time();
+
 		unset($_SESSION['just_registered']);
 	}
 

diff --git a/themes/default/languages/Help.english.php b/themes/default/languages/Help.english.php
@@ -370,6 +370,7 @@
 $helptxt['globalCookiesDomain'] = 'Define the main domain to be used when log in cookies are available across subdomains';
 $helptxt['secureCookies'] = 'Enabling this option will force the cookies created for users on your forum to be marked as secure. Only enable this option if you are using HTTPS throughout your site as it will break cookie handling otherwise!';
 $helptxt['admin_session_lifetime'] = 'This controls the length of time an admin session can remain active. Once this timer expires the session will end, requiring you to enter your admin credentials to continue accessing the admin area. The minimum value is 5 minutes, the maximum allowed value is 14400 minutes (a day). It is strongly recommended to use a value less than 60 minutes for security reasons.';
+$helptxt['auto_admin_session'] = 'This controls  whether an administrative session is activated during logon or not.';
 $helptxt['securityDisable'] = 'This <em>disables</em> the additional password check for the administration section. This is not recommended!';
 $helptxt['securityDisable_why'] = 'This is your current password. (the same one you use to login.)<br /><br />Having to type this helps ensure that you want to do whatever administration you are doing, and that it is <strong>you</strong> doing it.';
 $helptxt['securityDisable_moderate'] = 'This <em>disables</em> the additional password check for the moderation section. This is not recommended!';

diff --git a/themes/default/languages/ManageSettings.english.php b/themes/default/languages/ManageSettings.english.php
@@ -60,6 +60,7 @@
 $txt['httponlyCookies'] = 'Force cookies to be made accessible only through the HTTP protocol';
 $txt['httponlyCookies_note'] = '(Cookies won\'t be accessible by scripting languages, such as JavaScript. This setting can help to reduce identity theft through XSS attacks.)';
 $txt['admin_session_lifetime'] = 'Number of minutes an admin session stays active';
+$txt['auto_admin_session'] = 'Automatically start an admin session on logon';
 $txt['securityDisable'] = 'Disable administration security';
 $txt['securityDisable_moderate'] = 'Disable moderation security';
 $txt['send_validation_onChange'] = 'Require reactivation after email change';