Reset user session cookie string upon logout

When a user logs out from Mantis, we clear their session cookie string (i.e. set mantis_user_table.cookie_string column to an empty string). This ensures that anyone knowing its value is no longer able to login with it. On login, after successfully authenticating the user, when setting the cookies in auth_set_cookies() we check if the cookie_string is defined in the DB, and if not a new hash is generated and stored. While not a complete fix for issue #11296, this does improve the situation by providing an easy and logical means for users to effectively invalidate all their previous sessions. Additionally, using an empty value to indicate an invalidated cookie string instead of directly generating a new hash makes it easy to: - identify user records which should be considered as logged out (e.g. last_visit older than $g_cookie_time_length) - invalidate login cookies (set them to '') Leveraging this is left for future improvements. Note: an empty string in the session cookie always triggers an anonymous login (or sends the user back to login page if anonymous login is disabled). Fixes #27976
mantisbt · Mar 6, 2021 · 6f369a5 · 6f369a5
1 parent c2ed5da
commit 6f369a5
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/core/authentication_api.php b/core/authentication_api.php
@@ -658,6 +658,15 @@ function auth_attempt_script_login( $p_username, $p_password = null ) {
 function auth_logout() {
 	global $g_cache_current_user_id, $g_cache_cookie_valid;
 
+	if( !user_is_protected( $g_cache_current_user_id ) ) {
+		# Clear the user's cookie string
+		user_set_field(
+			$g_cache_current_user_id,
+			'cookie_string',
+			''
+		);
+	}
+
 	# clear cached userid
 	user_clear_cache( $g_cache_current_user_id );
 	current_user_set( null );
@@ -836,6 +845,13 @@ function auth_generate_confirm_hash( $p_user_id ) {
  */
 function auth_set_cookies( $p_user_id, $p_perm_login = false ) {
 	$t_cookie_string = user_get_field( $p_user_id, 'cookie_string' );
+
+	# If cookie string is not set in DB, generate a new one
+	if( !$t_cookie_string ) {
+		$t_cookie_string = auth_generate_unique_cookie_string();
+		user_set_field( $p_user_id, 'cookie_string', $t_cookie_string );
+	}
+
 	$t_cookie_name = config_get_global( 'string_cookie' );
 	gpc_set_cookie( $t_cookie_name, $t_cookie_string, auth_session_expiry( $p_user_id, $p_perm_login ) );
 }