From 57331187f91b7a5c77b9e8f3be929b81ec62fe5e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Fri, 8 Jan 2021 15:35:28 +0100 Subject: [PATCH] Force SessionHandler::$isACP to be false This causes the ACP to reuse the frontend session. This improves the user experience for enabled multi-factor authentication, because the ACP will no longer require both the password *and* an additional MFA code when the user's web browser is already authenticated in the frontend. Additionally it will allow to simplify the whole session handling logic, due to the future removal of several code branches. This removal of the branches is not yet done to keep this commit simple. As of right now the ACP will have reduced security compared to the situation in 5.3, because no passwords will be asked either. This will also be fixed in a future commit by using the reauthentication framework. --- com.woltlab.wcf/package.xml | 1 + .../acp/update_com.woltlab.wcf_5.4_session_1_cookies.php | 6 +++--- .../files/lib/system/session/SessionHandler.class.php | 3 +-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/com.woltlab.wcf/package.xml b/com.woltlab.wcf/package.xml index f0c44823e7..c298504d93 100644 --- a/com.woltlab.wcf/package.xml +++ b/com.woltlab.wcf/package.xml @@ -69,6 +69,7 @@ tar cvf com.woltlab.wcf/files_pre.tar -C wcfsetup/install/files/ \ acp/update_com.woltlab.wcf_5.4_session_1_cookies.php acp/update_com.woltlab.wcf_5.4_session_2_user_session.php + diff --git a/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php b/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php index 1d57873337..50742a500d 100644 --- a/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php +++ b/wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_session_1_cookies.php @@ -19,8 +19,8 @@ use wcf\util\HeaderUtil; // 1) Check whether the cookies are already in place. $hasValidSessionCookie = false; -if (!empty($_COOKIE[COOKIE_PREFIX."acp_session"])) { - $cookieValue = CryptoUtil::getValueFromSignedString($_COOKIE[COOKIE_PREFIX."acp_session"]); +if (!empty($_COOKIE[COOKIE_PREFIX."user_session"])) { + $cookieValue = CryptoUtil::getValueFromSignedString($_COOKIE[COOKIE_PREFIX."user_session"]); if ($cookieValue && \mb_strlen($cookieValue, '8bit') === 26) { $sessionID = \bin2hex(\mb_substr($cookieValue, 1, 20, '8bit')); if ($sessionID === WCF::getSession()->sessionID) { @@ -43,7 +43,7 @@ if ($hasValidSessionCookie && $hasValidXsrfToken) { // 2) Set new session cookie. HeaderUtil::setCookie( - "acp_session", + "user_session", CryptoUtil::createSignedString( \pack( 'CA20CN', diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index 14b8742486..435546321c 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -18,7 +18,6 @@ use wcf\system\request\RouteHandler; use wcf\system\user\storage\UserStorageHandler; use wcf\system\SingletonFactory; use wcf\system\WCF; -use wcf\system\WCFACP; use wcf\util\CryptoUtil; use wcf\util\HeaderUtil; use wcf\util\UserUtil; @@ -186,7 +185,7 @@ final class SessionHandler extends SingletonFactory { * @inheritDoc */ protected function init() { - $this->isACP = (class_exists(WCFACP::class, false) || !PACKAGE_ID); + $this->isACP = false; $this->usersOnlyPermissions = UserGroupOptionCacheBuilder::getInstance()->getData([], 'usersOnlyOptions'); } -- 2.20.1