Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reresubmit: improved persistent cookies :) #31

Merged
merged 15 commits into from
Oct 16, 2012
Merged

reresubmit: improved persistent cookies :) #31

merged 15 commits into from
Oct 16, 2012

Conversation

visit1985
Copy link

After some review rounds with @scroogie I decided to put this into a merge request again.

I used @bartv2's draft and implemented all our comments (from pull request #26).

Here a short summary of the new features:

  • multiple tokens from multiple hosts/browsers can be stored at the same time
  • recreate token after each successfull authentication
  • delete tokens on password change
  • delete tokens older than 15 days (configurable)
  • show a message to the user if cookie authentication fails (pull request #30)
  • use OC_Util::generate_random_bytes() for token generation
  • php session timeout after 1 hour (not configurable jet - I know)
  • php session id regeneration after 15 minutes

Please review and comment!

bartv2 and others added 14 commits October 14, 2012 22:36
@bartv2
Add support for multiple login cookie tokens
1012d31
@bartv2
Cleanup login tokens on login success
7f3e0b5
@bartv2
Make the lifetime of the remember login cookie
4b799a6
improve token security
ee5d0f3 
switched from time() to internal method OC_Util::generate_random_bytes()
further improvements on multiple login token support
45f1c3f 
outdated tokens are deleted before checking against cookies
if an invalid token is used we delete all stored tokens for saveness
used token will be replaced by a new one after successful authentication
delete all tokens on password change
2ea06f6
forgot a class name
eb79cca
call unsetMagicInCookie if token is invalid
38b9bff
fixed wrong variable usage
382f8d0
added a warning message to the log when a cookie is rejected
d8fe6fb
fixed typo and redundant method call
a6c4046
removed username and password from token generation
b92fd98
implement fixed php session timeout and session id regeneration
ae1f33d
extend configkey column to hold 128bit values
22fa23b
@scroogie
Copy link

Hi Michael,

it seems to me your generating a 1024 bit key now:

  •    $token =OC_Util::generate_random_bytes(128);

Greetings
André

@LukasReschke
Copy link
Member

it seems to me your generating a 1024 bit key
$token =OC_Util::generate_random_bytes(128);

Well, this is probably my fault because the description is not very accurate.
generate_random_bytes() returns a string with the given length (so here 128 chars) using openssl_random_pseudo_bytes().

Let's rename this function to generate_random_string() after merging this.

From a security point of view this should be safe to merge and together with #30 this is a real improvement.

+1 from me.

@visit1985
Copy link
Author

No Lukas, the method name is fine. It was my fault. I mixed up bits and bytes.

As 128byte is no performance problem, we use 256bit / 32byte now. Which is equal to a md5 hash or a PHPSESSID.
I also set the configval column back to varchar(64) because we don't need to extend it ;)

Regards,
Michael

LukasReschke added a commit that referenced this pull request Oct 16, 2012
@LukasReschke
Merge pull request #31 from visit1985/persistentcookies
59404b5 
reresubmit: improved persistent cookies :)
@LukasReschke LukasReschke merged commit 59404b5 into owncloud:master Oct 16, 2012
@LukasReschke
Copy link
Member

Let's merge it - Thanks!

@jozefcernak jozefcernak mentioned this pull request Sep 22, 2013
Closed
@dusansantovac dusansantovac mentioned this pull request Mar 22, 2016
Closed
@osadmin osadmin mentioned this pull request Aug 16, 2016
Merged
@tonybluem tonybluem mentioned this pull request Sep 13, 2016
Closed
@stephan-l stephan-l mentioned this pull request Nov 4, 2016
Closed
@TDannhauer TDannhauer mentioned this pull request Nov 30, 2016
Closed
@fsantiago07044 fsantiago07044 mentioned this pull request Feb 9, 2017
Closed
@happiness-now happiness-now mentioned this pull request Apr 22, 2017
Closed
@montanaviking montanaviking mentioned this pull request Apr 28, 2017
Closed
@andriusign andriusign mentioned this pull request Dec 12, 2017
Closed
bhawanaprasain pushed a commit to JankariTech/core that referenced this pull request Apr 25, 2019
@nickvergessen
Merge pull request owncloud#31 from owncloud/fix-30-for-enterprise-th…
ab98232 
…emes

Fix 30 for enterprise themes
@lock lock bot locked as resolved and limited conversation to collaborators Aug 19, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
4 participants
@visit1985 @scroogie @LukasReschke @bartv2