From 14cb4bb09aa9ecae7e54e0a7d748848547bcfb55 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 19 Feb 2024 15:00:32 -0500 Subject: [PATCH 1/3] set the remember me token from 14 Days to 2 Days or 48 Hours --- login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/login.php b/login.php index 5cf951350..3e28487d4 100644 --- a/login.php +++ b/login.php @@ -126,7 +126,7 @@ if ($bypass_2fa) { if (isset($_POST['remember_me'])) { $newRememberToken = bin2hex(random_bytes(64)); - setcookie('rememberme', $newRememberToken, time() + 86400*14, "/", null, true, true); + setcookie('rememberme', $newRememberToken, time() + 86400*2, "/", null, true, true); $updateTokenQuery = "UPDATE user_settings SET user_config_remember_me_token = '$newRememberToken' WHERE user_id = $user_id"; mysqli_query($mysqli, $updateTokenQuery); } From 4fddeb88b75d3e3187cdcfb87f4530eb5351b217 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Tue, 20 Feb 2024 14:53:32 -0500 Subject: [PATCH 2/3] Fix issue with password managers asking for passwords when migrating away from the assets page --- client_assets.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/client_assets.php b/client_assets.php index 81356f28c..dfeebb11f 100644 --- a/client_assets.php +++ b/client_assets.php @@ -311,6 +311,9 @@ +
+ +
@@ -318,11 +321,7 @@
- - -
- -
+
From c2cf0bb448fc0ce3afb283a523ad2ee48236207e Mon Sep 17 00:00:00 2001 From: o-psi Date: Thu, 22 Feb 2024 17:45:09 +0000 Subject: [PATCH 3/3] Change remember me tokens to a many:many table to allow for multiple devices to be remembered. --- database_updates.php | 13 ++++++++++--- database_version.php | 2 +- db.sql | 16 ++++++++++++++++ login.php | 15 +++++++++++---- 4 files changed, 38 insertions(+), 8 deletions(-) diff --git a/database_updates.php b/database_updates.php index 987f600d1..7559f1cf9 100644 --- a/database_updates.php +++ b/database_updates.php @@ -1607,10 +1607,17 @@ mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.6'"); } - // if (CURRENT_DATABASE_VERSION == '1.0.6') { - // // Insert queries here required to update to DB version 1.0.7 + if (CURRENT_DATABASE_VERSION == '1.0.6') { + // Insert queries here required to update to DB version 1.0.7 + mysqli_query($mysqli, "CREATE TABLE `remember_tokens` (`remember_token_id` int(11) NOT NULL AUTO_INCREMENT,`remember_token_token` varchar(255) NOT NULL,`remember_token_user_id` int(11) NOT NULL,`remember_token_created_at` datetime NOT NULL DEFAULT current_timestamp()"); + // Then, update the database to the next sequential version + mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'"); + } + + // if (CURRENT_DATABASE_VERSION == '1.0.7') { + // // Insert queries here required to update to DB version 1.0.8 // // Then, update the database to the next sequential version - // mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.7'"); + // mysqli_query($mysqli, "UPDATE `settings` SET `config_current_database_version` = '1.0.8'"); // } } else { diff --git a/database_version.php b/database_version.php index 9d80a0a05..c1dcafe27 100644 --- a/database_version.php +++ b/database_version.php @@ -5,5 +5,5 @@ * It is used in conjunction with database_updates.php */ -DEFINE("LATEST_DATABASE_VERSION", "1.0.6"); +DEFINE("LATEST_DATABASE_VERSION", "1.0.7"); diff --git a/db.sql b/db.sql index 01a0ecfed..4c8aa20ab 100644 --- a/db.sql +++ b/db.sql @@ -1041,6 +1041,22 @@ CREATE TABLE `recurring_expenses` ( ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci; /*!40101 SET character_set_client = @saved_cs_client */; +-- +-- Table structure for table remember_tokens +-- + +DROP TABLE IF EXISTS `remember_tokens`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `remember_tokens` ( + `remember_token_id` int(10) unsigned NOT NULL AUTO_INCREMENT, + `remember_token_user_id` int(10) unsigned NOT NULL, + `remember_token_token` varchar(100) NOT NULL, + `remember_token_created_at` timestamp NOT NULL DEFAULT current_timestamp(), + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + + -- -- Table structure for table `revenues` -- diff --git a/login.php b/login.php index 3e28487d4..ef6976651 100644 --- a/login.php +++ b/login.php @@ -111,14 +111,21 @@ $user_email = sanitizeInput($row['user_email']); $token = sanitizeInput($row['user_token']); $force_mfa = intval($row['user_config_force_mfa']); - $remember_token = $row['user_config_remember_me_token']; if($force_mfa == 1 && $token == NULL) { $config_start_page = "user_security.php"; } + // Get remember tokens less than 2 days old + $remember_tokens = mysqli_query($mysqli, "SELECT remember_token_token FROM remember_tokens WHERE remember_token_user_id = $user_id AND remember_token_created_at > (NOW() - INTERVAL 2 DAY)"); + $bypass_2fa = false; - if (isset($_COOKIE['rememberme']) && $_COOKIE['rememberme'] == $remember_token) { - $bypass_2fa = true; + if (isset($_COOKIE['rememberme'])) { + while ($row = mysqli_fetch_assoc($remember_tokens)) { + if (hash_equals($row['remember_token_token'], $_COOKIE['rememberme'])) { + $bypass_2fa = true; + break; + } + } } elseif (empty($token) || TokenAuth6238::verify($token, $current_code)) { $bypass_2fa = true; } @@ -127,7 +134,7 @@ if (isset($_POST['remember_me'])) { $newRememberToken = bin2hex(random_bytes(64)); setcookie('rememberme', $newRememberToken, time() + 86400*2, "/", null, true, true); - $updateTokenQuery = "UPDATE user_settings SET user_config_remember_me_token = '$newRememberToken' WHERE user_id = $user_id"; + $updateTokenQuery = "INSERT INTO remember_tokens (remember_token_user_id, remember_token_token) VALUES ($user_id, '$newRememberToken')"; mysqli_query($mysqli, $updateTokenQuery); }