Fix #9744: Allow users to turn off session validation at login time.

mantisbt · Jun 8, 2009 · a556dc0 · a556dc0
1 parent 5db9ffa
commit a556dc0
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 7 deletions.
diff --git a/core/session_api.php b/core/session_api.php
@@ -143,7 +143,7 @@ function session_init( $p_session_id=null ) {
 			break;
 	}
 
-	if ( ON == config_get_global( 'session_validation' ) ) {
+	if ( ON == config_get_global( 'session_validation' ) && session_get( 'secure_session', false ) ) {
 		session_validate( $g_session );
 	}
 }

diff --git a/lang/strings_english.txt b/lang/strings_english.txt
@@ -710,6 +710,8 @@ $s_error_code_version_out_of_date = '<strong>Warning:</strong> The database stru
 $s_login_page_info = 'Welcome to the Issue Tracker.';
 $s_login_title = 'Login';
 $s_save_login = 'Save Login';
+$s_secure_session = 'Secure Session';
+$s_secure_session_long = '<span class="small">Only allow your session to be used from this IP.</span>';
 $s_choose_project = 'Choose Project';
 $s_login_button = 'Login';
 $s_signup_link = 'Signup for a new account';

diff --git a/login.php b/login.php
@@ -31,14 +31,23 @@
 	$f_perm_login	= gpc_get_bool( 'perm_login' );
 	$f_return		= gpc_get_string( 'return', config_get( 'default_home_page' ) );
 	$f_from			= gpc_get_string( 'from', '' );
+	$f_secure_session = gpc_get_bool( 'secure_session', false );
 
 	$f_username = auth_prepare_username($f_username);
 	$f_password = auth_prepare_password($f_password);
 
+	gpc_set_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', $f_secure_session ? '1' : '0' );
+
 	if ( auth_attempt_login( $f_username, $f_password, $f_perm_login ) ) {
+		session_set( 'secure_session', $f_secure_session );
+
 		$t_redirect_url = 'login_cookie_test.php?return=' . string_sanitize_url( $f_return );
+
 	} else {
-		$t_redirect_url = 'login_page.php?return=' . string_sanitize_url( $f_return ) . '&error=1&username=' . urlencode( $f_username );
+		$t_redirect_url = 'login_page.php?return=' . string_sanitize_url( $f_return ) .
+			'&error=1&username=' . urlencode( $f_username ) .
+			'&perm_login=' . ( $f_perm_login ? 1 : 0 ) .
+			'&secure_session=' . ( $f_secure_session ? 1 : 0 );
 
 		if ( HTTP_AUTH == config_get( 'login_method' ) ) {
 			auth_http_prompt();

diff --git a/login_page.php b/login_page.php
@@ -36,6 +36,11 @@
 	$f_cookie_error	= gpc_get_bool( 'cookie_error' );
 	$f_return		= gpc_get_string( 'return', '' );
 	$f_username     = gpc_get_string( 'username', '' );
+	$f_perm_login	= gpc_get_bool( 'perm_login', false );
+	$f_secure_session = gpc_get_bool( 'secure_session', false );
+	$f_secure_session_cookie = gpc_get_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', null );
+
+	$t_session_validation = ( ON == config_get_global( 'session_validation' ) );
 
 	# Check for automatic logon methods where we want the logon to just be handled by login.php
 	if ( auth_automatic_logon_bypass_form() ) {
@@ -72,6 +77,18 @@
 		echo lang_get( 'login_cookies_disabled' ) . '<br />';
 	}
 
+	# Determine if secure_session should default on or off?
+	# - If no errors, and no cookies set, default to on.
+	# - If no errors, but cookie is set, use the cookie value.
+	# - If errors, use the value passed in.
+	if ( $t_session_validation ) {
+		if ( !$f_error && !$f_cookie_error ) {
+			$t_default_secure_session = ( is_null( $f_secure_session_cookie ) ? true : $f_secure_session_cookie );
+		} else {
+			$t_default_secure_session = $f_secure_session;
+		}
+	}
+
 	echo '</div>';
 ?>
 
@@ -99,11 +116,11 @@
 	</td>
 </tr>
 <tr class="row-1">
-	<td class="category" width="25%">
+	<td class="category">
 		<?php echo lang_get( 'username' ) ?>
 	</td>
-	<td width="75%">
-		<input type="text" name="username" size="32" maxlength="<?php echo USERLEN;?>" value="<?php echo string_attribute( $f_username ); ?>" />
+	<td>
+		<input type="text" name="username" size="28" maxlength="<?php echo USERLEN;?>" value="<?php echo string_attribute( $f_username ); ?>" />
 	</td>
 </tr>
 <tr class="row-2">
@@ -119,9 +136,20 @@
 		<?php echo lang_get( 'save_login' ) ?>
 	</td>
 	<td>
-		<input type="checkbox" name="perm_login" />
+	<input type="checkbox" name="perm_login" <?php echo ( $f_perm_login ? 'checked="checked" ' : '' ) ?>/>
 	</td>
 </tr>
+<?php if ( $t_session_validation ) { ?>
+<tr class="row-2">
+	<td class="category">
+		<?php echo lang_get( 'secure_session' ) ?>
+	</td>
+	<td>
+	<input type="checkbox" name="secure_session" <?php echo ( $t_default_secure_session ? 'checked="checked" ' : '' ) ?>/>
+	<?php echo lang_get( 'secure_session_long' ) ?>
+	</td>
+</tr>
+<?php } ?>
 <tr>
 	<td class="center" colspan="2">
 		<input type="submit" class="button" value="<?php echo lang_get( 'login_button' ) ?>" />
@@ -224,4 +252,4 @@
 <?php } ?>
 
 <?php
-	html_page_bottom1a( __FILE__ );
+	html_page_bottom1a( __FILE__ );