Merge branch 'improve_session' into storageareas

scripts/ZoneMinder/lib/ZoneMinder/Config.pm.in

@@ -257,7 +257,7 @@ sub saveConfigToDB {
         $option->{category},
         $option->{readonly} ? 1 : 0,
         $option->{db_requires}
-        ) or croak( "Can't execute: ".$sth->errstr() );
+        ) or croak("Can't execute when updating config entry $$option{name}: ".$sth->errstr() );
   } # end foreach option
   $sth->finish();
 

scripts/ZoneMinder/lib/ZoneMinder/ConfigData.pm.in

@@ -3944,7 +3944,8 @@ our @options = (
   {
     name  =>  'ZM_COOKIE_LIFETIME',
     default =>  '3600',
-    description => q`The maximum life of a COOKIE used when setting up PHP's session handler.  This will affect how long a session will be valid for since the last request.  Keeping this short helps prevent session hijacking.  Keeping it long allows you to stay logged in longer without refreshing the view.`,
+    description => q`The maximum life of a COOKIE used when setting up PHP's session handler.`,
+  help          => q`This will affect how long a session will be valid for since the last request.  Keeping this short helps prevent session hijacking.  Keeping it long allows you to stay logged in longer without refreshing the view.`,
     type        =>  $types{integer},
     category    =>  'system',
   }

web/includes/auth.php

@@ -88,7 +88,7 @@ function userLogin($username='', $password='', $passwordHashed=false) {
   $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
   if ( $dbUser = dbFetchOne($sql, NULL, $sql_values) ) {
     Info("Login successful for user \"$username\"");
-    $_SESSION['user'] = $user = $dbUser;
+    $user = $dbUser;
     unset($_SESSION['loginFailed']);
     if ( ZM_AUTH_TYPE == 'builtin' ) {
       $_SESSION['passwordHash'] = $user['Password'];
@@ -204,7 +204,25 @@ function canEdit($area, $mid=false) {
 }
 
 if ( ZM_OPT_USE_AUTH ) {
-  if ( ZM_AUTH_HASH_LOGINS && empty($user) && ! empty($_REQUEST['auth']) ) {
+  if ( isset($_SESSION['username']) ) {
+    # Need to refresh permissions and validate that the user still exists
+    $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
+    $user = dbFetchOne($sql, NULL, array($_SESSION['username']));
+  }
+
+  $close_session = 0;
+  if ( !is_session_started() ) {
+    session_start();
+    $close_session = 1;
+  }
+
+  if ( ZM_AUTH_RELAY == 'plain' ) {
+    // Need to save this in session
+    $_SESSION['password'] = $password;
+  }
+  $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
+
+  if ( ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST['auth']) ) {
     if ( $authUser = getAuthUser($_REQUEST['auth']) ) {
       userLogin($authUser['Username'], $authUser['Password'], true);
     }
@@ -215,5 +233,9 @@ if ( ZM_OPT_USE_AUTH ) {
     // generate it once here, while session is open.  Value will be cached in session and return when called later on
     generateAuthHash(ZM_AUTH_HASH_IPS);
   }
+  if ( $close_session )
+    session_write_close();
+} else {
+  $user = $defaultUser;
 }
 ?>

web/includes/session.php

@@ -20,18 +20,16 @@ function zm_session_start() {
   ini_set('session.name', 'ZMSESSID');
 
   session_start();
-  // Do not allow to use too old session ID
-  if ( !empty($_SESSION['last_time']) && ( $_SESSION['last_time'] < (time() - 180) ) ) {
+  // Do not allow to use expired session ID
+  if ( !empty($_SESSION['last_time']) && ($_SESSION['last_time'] < (time() - 180)) ) {
     Info('Destroying session due to timeout. ');
     session_destroy();
     session_start();
   }
-}
+} // function zm_session_start()
 
 // My session regenerate id function
 function zm_session_regenerate_id() {
-  // Call session_create_id() while session is active to 
-  // make sure collision free.
   if ( session_status() != PHP_SESSION_ACTIVE ) {
     session_start();
   }
@@ -43,7 +41,8 @@ function zm_session_regenerate_id() {
 
   session_start();
   session_regenerate_id();
-}
+  unset($_SESSION['last_time']);
+} // function zm_session_regenerate_id()
 
 function is_session_started() {
   if ( php_sapi_name() !== 'cli' ) {
@@ -56,7 +55,7 @@ function is_session_started() {
     Warning("php_sapi_name === 'cli'");
   }
   return FALSE;
-}
+} // function is_session_started()
 
 function zm_session_clear() {
   session_start();
@@ -68,5 +67,5 @@ function zm_session_clear() {
   }
   session_unset();
   session_destroy();
-}
+} // function zm_session_clear()
 ?>

web/index.php

@@ -117,25 +117,26 @@ $skinBase[] = $skin;
 
 zm_session_start();
 
-if ( !isset($_SESSION['skin']) || isset($_REQUEST['skin']) || !isset($_COOKIE['zmSkin']) || $_COOKIE['zmSkin'] != $skin ) {
+if (
+  !isset($_SESSION['skin']) ||
+  isset($_REQUEST['skin']) ||
+  !isset($_COOKIE['zmSkin']) ||
+  $_COOKIE['zmSkin'] != $skin
+) {
   $_SESSION['skin'] = $skin;
   setcookie('zmSkin', $skin, time()+3600*24*30*12*10);
 }
 
-if ( !isset($_SESSION['css']) || isset($_REQUEST['css']) || !isset($_COOKIE['zmCSS']) || $_COOKIE['zmCSS'] != $css ) {
+if (
+  !isset($_SESSION['css']) ||
+  isset($_REQUEST['css']) ||
+  !isset($_COOKIE['zmCSS']) ||
+  $_COOKIE['zmCSS'] != $css
+) {
   $_SESSION['css'] = $css;
   setcookie('zmCSS', $css, time()+3600*24*30*12*10);
 }
 
-if ( ZM_OPT_USE_AUTH ) {
-  if ( isset($_SESSION['user']) ) {
-    $user = $_SESSION['user'];
-  } else {
-    unset($user);
-  }
-} else {
-  $user = $defaultUser;
-}
 # Only one request can open the session file at a time, so let's close the session here to improve concurrency.
 # Any file/page that sets session variables must re-open it.
 session_write_close();
@@ -168,12 +169,14 @@ $request = null;
 if ( isset($_REQUEST['request']) )
   $request = detaintPath($_REQUEST['request']);
 
-foreach ( getSkinIncludes('skin.php') as $includeFile )
-  require_once $includeFile;
-
 # User Login will be performed in auth.php
 require_once('includes/auth.php');
 
+foreach ( getSkinIncludes('skin.php') as $includeFile ) {
+  #Logger::Debug("including $includeFile");
+  require_once $includeFile;
+}
+
 if ( isset($_REQUEST['action']) )
   $action = detaintPath($_REQUEST['action']);
 
@@ -209,13 +212,14 @@ if ( $action ) {
 }
 
 # If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
-if ( ZM_OPT_USE_AUTH and !isset($user) ) {
+if ( ZM_OPT_USE_AUTH and !isset($user) and ($view != 'login') ) {
   Logger::Debug('Redirecting to login');
-  $view = 'login';
+  $view = 'none';
+  $redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=login';
   $request = null;
 } else if ( ZM_SHOW_PRIVACY && ($action != 'privacy') && ($view != 'options') && (!$request) && canEdit('System') ) {
-  Logger::Debug('Redirecting to privacy');
-  $view = 'privacy';
+  $view = 'none';
+  $redirect = ZM_BASE_URL.$_SERVER['PHP_SELF'].'?view=privacy';
   $request = null;
 }
 

web/skins/classic/views/login.php

@@ -19,10 +19,10 @@ xhtmlHeaders(__FILE__, translate('Login') );
         <h1><i class="material-icons md-36">account_circle</i> <?php echo ZM_WEB_TITLE . ' ' . translate('Login') ?></h1>
 	
 				<label for="inputUsername" class="sr-only"><?php echo translate('Username') ?></label>
-				<input type="text" id="inputUsername" name="username" class="form-control" placeholder="Username" required autofocus />
+				<input type="text" id="inputUsername" name="username" class="form-control" placeholder="Username" required autofocus autocomplete="username"/>
 	
 				<label for="inputPassword" class="sr-only"><?php echo translate('Password') ?></label>
-				<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required />
+				<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required autocomplete="current-password"/>
 	
 				<?php
 				if (defined('ZM_OPT_USE_GOOG_RECAPTCHA')