Refactor cookie handling for user authentication; implement secure payload structure and cleanup invalid cookies

2025-12-16 23:34:54 +01:00
parent 290aa31aa7
commit d4fe312cb6
2 changed files with 59 additions and 40 deletions
--- a/admin/index.php
+++ b/admin/index.php
@@ -85,21 +85,46 @@ $user = \S::get_session( 'user', true );
 \admin\Site::update();
 \admin\Site::special_actions();

-$domain       = preg_replace( '#^(http(s)?://)?w{3}\.#', '$1', $_SERVER['SERVER_NAME'] );
-$cookie_name  = str_replace( '.', '-', $domain );
+$domain       = preg_replace( '/^www\./', '', $_SERVER['SERVER_NAME'] );
+$cookie_name  = 'admin_remember_' . str_replace( '.', '-', $domain );

 if ( isset( $_COOKIE[$cookie_name] ) && !isset( $_SESSION['user'] ) )
 {
-  $obj      = json_decode( $_COOKIE[$cookie_name] );
-  $login    = $obj -> {'login'};
-  $password = $obj -> {'hash'};
-
-  if ( $mdb -> get( 'pp_users', '*', [ 'AND' => [ 'login' => $login, 'status' => 1, 'password' => $password ] ] ) )
+  $payload = base64_decode($_COOKIE[$cookie_name]);
+  if ($payload !== false && strpos($payload, '.') !== false)
  {
-    \S::set_session( 'user', \admin\factory\Users::details( $login ) );
-    header( 'Location: /admin/articles/view_list/' );
-    exit;
+    list($json, $sig) = explode('.', $payload, 2);
+    $expected_sig = hash_hmac('sha256', $json, \admin\Site::APP_SECRET_KEY);
+
+    if (hash_equals($expected_sig, $sig))
+    {
+      $data = json_decode($json, true);
+      if ($data && isset($data['login']) && isset($data['ts']))
+      {
+        // Sprawdź czy cookie nie wygasło (14 dni)
+        if ((time() - $data['ts']) < (86400 * 14))
+        {
+          $user_data = $mdb->get('pp_users', '*', ['AND' => ['login' => $data['login'], 'status' => 1]]);
+          if ($user_data)
+          {
+            \S::set_session('user', \admin\factory\Users::details($data['login']));
+            $redirect = $_SERVER['REQUEST_URI'] ?: '/admin/articles/view_list/';
+            header('Location: ' . $redirect);
+            exit;
+          }
+        }
+      }
+    }
  }
+  // Jeśli coś poszło nie tak, usuń nieprawidłowe cookie
+  setcookie($cookie_name, '', [
+    'expires'  => time() - 86400,
+    'path'     => '/',
+    'domain'   => $domain,
+    'secure'   => true,
+    'httponly' => true,
+    'samesite' => 'Lax',
+  ]);
 }

 echo \admin\view\Page::show();