Implement autologin in the Session class

2026-01-09 03:32:00 +09:00 · 2017-02-08 17:08:31 +09:00 · 2017-02-08 17:08:31 +09:00 · 2af90c8e1d
commit 2af90c8e1d
parent d36263f539
3 changed files with 117 additions and 88 deletions
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@ -362,11 +362,6 @@ class Context
 				{
 					$oMemberController->setSessionInfo();
 				}
-				// check auto sign-in
-				elseif($_COOKIE['xeak'])
-				{
-					$oMemberController->doAutologin();
-				}
 				
 				self::set('is_logged', $oMemberModel->isLogged());
 				self::set('logged_info', $oMemberModel->getLoggedInfo());
--- a/common/framework/session.php
+++ b/common/framework/session.php
@ -102,7 +102,7 @@ class Session
 		self::$_started = true;
 		
 		// Fetch session keys.
-		list($key1, $key2) = self::_getKeys();
+		list($key1, $key2, $autologin_key) = self::_getKeys();
 		$must_create = $must_refresh = $must_resend_keys = false;
 		
 		// Validate the HTTP key.
@ -122,8 +122,11 @@ class Session
 			}
 			elseif (!$relax_key_checks)
 			{
+				// Hacked session! Destroy everything.
 				$_SESSION = array();
 				$must_create = true;
+				self::setAutologinKeys(null, null);
+				$autologin_key = null;
 			}
 		}
 		else
@ -148,8 +151,11 @@ class Session
 			}
 			elseif (!$relax_key_checks)
 			{
+				// Hacked session! Destroy everything.
 				$_SESSION = array();
 				$must_create = true;
+				self::setAutologinKeys(null, null);
+				$autologin_key = null;
 			}
 		}
 		
@ -166,7 +172,7 @@ class Session
 		// Create or refresh the session if needed.
 		if ($must_create)
 		{
-			return self::create();
+			return self::create($autologin_key);
 		}
 		elseif ($must_refresh)
 		{
@ -318,9 +324,10 @@ class Session
 	 * 
 	 * This method is called automatically by start() when needed.
 	 * 
+	 * @param string $autologin_key (optional)
 	 * @return bool
 	 */
-	public static function create()
+	public static function create($autologin_key = null)
 	{
 		// Ensure backward compatibility with XE session.
 		$member_srl = $_SESSION['member_srl'] ?: false;
@ -329,7 +336,7 @@ class Session
 		
 		// Create the data structure for a new Rhymix session.
 		$_SESSION['RHYMIX'] = array();
-		$_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = $member_srl;
+		$_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = intval($member_srl);
 		$_SESSION['RHYMIX']['ipaddress'] = $_SESSION['ipaddress'] = \RX_CLIENT_IP;
 		$_SESSION['RHYMIX']['useragent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
 		$_SESSION['RHYMIX']['language'] = \Context::getLangType();
@ -338,7 +345,25 @@ class Session
 		$_SESSION['RHYMIX']['tokens'] = array();
 		
 		// Pass control to refresh() to generate security keys.
-		return self::refresh();
+		$result = self::refresh();
+		
+		// Try autologin.
+		if (!$member_srl && $autologin_key)
+		{
+			$member_srl = getController('member')->doAutologin($autologin_key);
+			if ($member_srl)
+			{
+				$_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = intval($member_srl);
+				$_SESSION['is_logged'] = true;
+			}
+			else
+			{
+				self::setAutologinKeys(null, null);
+			}
+		}
+		
+		// Return the result obtained above.
+		return $result;
 	}
 	
 	/**
@ -416,6 +441,7 @@ class Session
 		self::$_started = false;
 		self::$_member_info = false;
 		self::_setKeys();
+		self::setAutologinKeys(null, null);
 		@session_destroy();
 		return true;
 	}
@ -761,7 +787,7 @@ class Session
 	protected static function _getKeys()
 	{
 		// Initialize keys.
-		$key1 = $key2 = null;
+		$key1 = $key2 = $key3 = null;
 		
 		// Fetch and validate the HTTP-only key.
 		if (isset($_COOKIE['rx_sesskey1']) && ctype_alnum($_COOKIE['rx_sesskey1']) && strlen($_COOKIE['rx_sesskey1']) === 24)
@ -775,7 +801,13 @@ class Session
 			$key2 = $_COOKIE['rx_sesskey2'];
 		}
 		
-		return array($key1, $key1 === null ? null : $key2);
+		// Fetch and validate the autologin key.
+		if (isset($_COOKIE['rx_autologin']) && ctype_alnum($_COOKIE['rx_autologin']) && strlen($_COOKIE['rx_autologin']) === 48)
+		{
+			$key3 = $_COOKIE['rx_autologin'];
+		}
+		
+		return array($key1, $key1 === null ? null : $key2, $key3);
 	}
 	
 	/**
@ -810,4 +842,32 @@ class Session
 		
 		return true;
 	}
+	
+	/**
+	 * Set autologin key.
+	 * 
+	 * @param string $autologin_key
+	 * @param string $security_key
+	 * @return bool
+	 */
+	public static function setAutologinKeys($autologin_key = null, $security_key = null)
+	{
+		// Get session parameters.
+		list($lifetime, $refresh_interval, $domain, $path) = self::_getParams();
+		$lifetime = time() + (86400 * 365);
+		
+		// Set or destroy the HTTP-only key.
+		if ($autologin_key && $security_key)
+		{
+			setcookie('rx_autologin', $autologin_key . $security_key, $lifetime, $path, $domain, false, true);
+			$_COOKIE['rx_autologin'] = $autologin_key . $security_key;
+		}
+		else
+		{
+			setcookie('rx_autologin', 'deleted', time() - 86400, $path, $domain, false, true);
+			unset($_COOKIE['rx_autologin']);
+		}
+		
+		return true;
+	}
 }
--- a/modules/member/member.controller.php
+++ b/modules/member/member.controller.php
@ -1623,82 +1623,56 @@ class memberController extends member
 	/**
 	 * Auto-login
 	 *
-	 * @return void
+	 * @param string $autologin_key
+	 * @return int|false
 	 */
-	function doAutologin()
+	function doAutologin($autologin_key = null)
 	{
-		// Get a key value of auto log-in
-		$args = new stdClass;
-		$args->autologin_key = $_COOKIE['xeak'];
-		// Get information of the key
-		$output = executeQuery('member.getAutologin', $args);
-		// If no information exists, delete a cookie
-		if(!$output->toBool() || !$output->data)
+		// Validate the key.
+		if (strlen($autologin_key) == 48)
 		{
-			setCookie('xeak',null,$_SERVER['REQUEST_TIME']+60*60*24*365, '/');
-			return;
-		}
-
-		$oMemberModel = getModel('member');
-		$config = $oMemberModel->getMemberConfig();
-
-		$user_id = ($config->identifier == 'user_id') ? $output->data->user_id : $output->data->email_address;
-		$password = $output->data->password;
-
-		if(!$user_id || !$password)
-		{
-			setCookie('xeak',null,$_SERVER['REQUEST_TIME']+60*60*24*365, '/');
-			return;
-		}
-
-		$do_auto_login = false;
-
-		// Compare key values based on the information
-		$check_key = strtolower($user_id).$password.$_SERVER['HTTP_USER_AGENT'];
-		$check_key = substr(hash_hmac('sha256', $check_key, substr($args->autologin_key, 0, 32)), 0, 32);
-
-		if($check_key === substr($args->autologin_key, 32))
-		{
-			// Check change_password_date
-			$oModuleModel = getModel('module');
-			$member_config = $oModuleModel->getModuleConfig('member');
-			$limit_date = $member_config->change_password_date;
-
-			// Check if change_password_date is set
-			if($limit_date > 0)
-			{
-				$oMemberModel = getModel('member');
-				$columnList = array('member_srl', 'change_password_date');
-
-				if($config->identifier == 'user_id')
-				{
-					$member_info = $oMemberModel->getMemberInfoByUserID($user_id, $columnList);
-				}
-				else
-				{
-					$member_info = $oMemberModel->getMemberInfoByEmailAddress($user_id, $columnList);
-				}
-
-				if($member_info->change_password_date >= date('YmdHis', strtotime('-'.$limit_date.' day')) ){
-					$do_auto_login = true;
-				}
-
-			}
-			else
-			{
-				$do_auto_login = true;
-			}
-		}
-
-		if($do_auto_login)
-		{
-			$output = $this->doLogin($user_id);
+			$security_key = substr($autologin_key, 24, 24);
+			$autologin_key = substr($autologin_key, 0, 24);
 		}
 		else
 		{
-			executeQuery('member.deleteAutologin', $args);
-			setCookie('xeak',null,$_SERVER['REQUEST_TIME']+60*60*24*365, '/');
+			return false;
 		}
+		
+		// Fetch autologin information from DB.
+		$args = new stdClass;
+		$args->autologin_key = $autologin_key;
+		$output = executeQuery('member.getAutologin', $args);
+		if (!$output->toBool() || !$output->data)
+		{
+			return false;
+		}
+		if (is_array($output->data))
+		{
+			$output->data = array_first($output->data);
+		}
+		
+		// Check the security key.
+		if ($output->data->security_key !== $security_key || !$output->data->member_srl)
+		{
+			$args = new stdClass;
+			$args->autologin_key = $autologin_key;
+			executeQuery('member.deleteAutologin', $args);
+			return false;
+		}
+		
+		// Update the security key.
+		$new_security_key = Rhymix\Framework\Security::getRandom(24, 'alnum');
+		$args = new stdClass;
+		$args->security_key = $new_security_key;
+		$update_output = executeQuery('member.updateAutologin', $args);
+		if ($update_output->toBool())
+		{
+			Rhymix\Framework\Session::setAutologinKeys($autologin_key, $new_security_key);
+		}
+		
+		// Return the member_srl.
+		return intval($output->data->member_srl);
 	}

 	/**
@ -1860,16 +1834,16 @@ class memberController extends member
 		// When user checked to use auto-login
 		if($keep_signed)
 		{
-			// Key generate for auto login
-			$random_key = Rhymix\Framework\Security::getRandom(32, 'hex');
-			$extra_key = strtolower($user_id).$this->memberInfo->password.$_SERVER['HTTP_USER_AGENT'];
-			$extra_key = substr(hash_hmac('sha256', $extra_key, $random_key), 0, 32);
+			$random_key = Rhymix\Framework\Security::getRandom(48, 'alnum');
 			$autologin_args = new stdClass;
-			$autologin_args->autologin_key = $random_key.$extra_key;
+			$autologin_args->autologin_key = substr($random_key, 0, 24);
+			$autologin_args->security_key = substr($random_key, 24, 24);
 			$autologin_args->member_srl = $this->memberInfo->member_srl;
-			executeQuery('member.deleteAutologin', $autologin_args);
 			$autologin_output = executeQuery('member.insertAutologin', $autologin_args);
-			if($autologin_output->toBool()) setCookie('xeak',$autologin_args->autologin_key, $_SERVER['REQUEST_TIME']+31536000, '/');
+			if ($autologin_output->toBool())
+			{
+				Rhymix\Framework\Session::setAutologinKeys(substr($random_key, 0, 24), substr($random_key, 24, 24));
+			}
 		}

 		$this->setSessionInfo();