From abd843e6ea57462233d00e09d0af3d1af2c3e25a Mon Sep 17 00:00:00 2001 From: Thorsten Eurich Date: Sun, 14 Jul 2013 10:45:39 +0200 Subject: [PATCH] Security: Give admins the ability whether an admin session will be initialized during logon or not.. Signed-off-by:Thorsten Eurich --- sources/admin/ManageSecurity.php | 1 + sources/controllers/Auth.controller.php | 14 ++++++++++---- themes/default/languages/Help.english.php | 1 + .../default/languages/ManageSettings.english.php | 1 + 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/sources/admin/ManageSecurity.php b/sources/admin/ManageSecurity.php index 72dc0e37e1..fa55d054fa 100644 --- a/sources/admin/ManageSecurity.php +++ b/sources/admin/ManageSecurity.php @@ -176,6 +176,7 @@ private function _initSecuritySettingsForm() array('check', 'enableErrorQueryLogging'), '', array('int', 'admin_session_lifetime'), + array('check', 'auto_admin_session'), array('check', 'securityDisable'), array('check', 'securityDisable_moderate'), '', diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php index 791c7522ad..6afe75a894 100644 --- a/sources/controllers/Auth.controller.php +++ b/sources/controllers/Auth.controller.php @@ -366,7 +366,7 @@ public function action_login2() */ public function action_logout($internal = false, $redirect = true) { - global $user_info, $user_settings, $context, $modSettings; + global $user_info, $user_settings, $context; // Make sure they aren't being auto-logged out. if (!$internal) @@ -394,6 +394,9 @@ public function action_logout($internal = false, $redirect = true) logOnline($user_info['id'], false); } + // Logout? Let's kill the admin session, too. + unset($_SESSION['admin_time']); + $_SESSION['log_time'] = 0; // Empty the cookie! (set it in the past, and for id_member = 0) @@ -468,7 +471,7 @@ public function action_maintenance_mode() */ public function action_salt() { - global $user_info, $user_settings, $context; + global $user_info, $user_settings, $context, $cookiename; // we deal only with logged in folks in here! if (!$user_info['is_guest']) @@ -497,7 +500,7 @@ public function action_salt() */ public function action_check() { - global $user_info, $modSettings; + global $user_info, $modSettings, $user_settings; // Only our members, please. if (!$user_info['is_guest']) @@ -621,7 +624,10 @@ function doLogin() // An administrator, set up the login so they don't have to type it again. if ($user_info['is_admin'] && isset($user_settings['openid_uri']) && empty($user_settings['openid_uri'])) { - $_SESSION['admin_time'] = time(); + // Let's validate if they really want.. + if (!empty($modSettings['auto_admin_session']) && $modSettings['auto_admin_session'] == 1) + $_SESSION['admin_time'] = time(); + unset($_SESSION['just_registered']); } diff --git a/themes/default/languages/Help.english.php b/themes/default/languages/Help.english.php index 9b35e64bb5..406f25ccb9 100644 --- a/themes/default/languages/Help.english.php +++ b/themes/default/languages/Help.english.php @@ -370,6 +370,7 @@ $helptxt['globalCookiesDomain'] = 'Define the main domain to be used when log in cookies are available across subdomains'; $helptxt['secureCookies'] = 'Enabling this option will force the cookies created for users on your forum to be marked as secure. Only enable this option if you are using HTTPS throughout your site as it will break cookie handling otherwise!'; $helptxt['admin_session_lifetime'] = 'This controls the length of time an admin session can remain active. Once this timer expires the session will end, requiring you to enter your admin credentials to continue accessing the admin area. The minimum value is 5 minutes, the maximum allowed value is 14400 minutes (a day). It is strongly recommended to use a value less than 60 minutes for security reasons.'; +$helptxt['auto_admin_session'] = 'This controls whether an administrative session is activated during logon or not.'; $helptxt['securityDisable'] = 'This disables the additional password check for the administration section. This is not recommended!'; $helptxt['securityDisable_why'] = 'This is your current password. (the same one you use to login.)

Having to type this helps ensure that you want to do whatever administration you are doing, and that it is you doing it.'; $helptxt['securityDisable_moderate'] = 'This disables the additional password check for the moderation section. This is not recommended!'; diff --git a/themes/default/languages/ManageSettings.english.php b/themes/default/languages/ManageSettings.english.php index b5c3b25bc4..417189e334 100644 --- a/themes/default/languages/ManageSettings.english.php +++ b/themes/default/languages/ManageSettings.english.php @@ -60,6 +60,7 @@ $txt['httponlyCookies'] = 'Force cookies to be made accessible only through the HTTP protocol'; $txt['httponlyCookies_note'] = '(Cookies won\'t be accessible by scripting languages, such as JavaScript. This setting can help to reduce identity theft through XSS attacks.)'; $txt['admin_session_lifetime'] = 'Number of minutes an admin session stays active'; +$txt['auto_admin_session'] = 'Automatically start an admin session on logon'; $txt['securityDisable'] = 'Disable administration security'; $txt['securityDisable_moderate'] = 'Disable moderation security'; $txt['send_validation_onChange'] = 'Require reactivation after email change';