Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie is checked as "stolen" as false positive #68

Open
Offerel opened this issue Jul 9, 2022 · 0 comments
Open

Cookie is checked as "stolen" as false positive #68

Offerel opened this issue Jul 9, 2022 · 0 comments

Comments

@Offerel
Copy link

Offerel commented Jul 9, 2022

If token data is removed from database, but the cookie is present in the browser, line 143 (if (($data = $rcmail->get_dbh()->fetch_assoc($res)))) will be set to false. In this case the cookie is reported as "stolen" and all other (and also valid tokens) are removed from the database. If another browser now tries to login (with its saved cookie), this will fail also, is reported as stolen again, all other tokens will be removed and so on... in this case, login is stuck in a loop as log a valid local cookie is found in the browser.

I know, a stolen cookie can be a problem. But personally i think, removing all tokens for this user from the db, is not the right solution. Instead of this, the user should be notified, that there is a risk of a stolen cookie and let the decision what to do, to the user. Maybe we should record the IP address where this cookie was last used and present this to the user. If this IP is unknown to the user, the cookie is really stolen and all tokens should be removed. If the IP is known, then this is mostly no issue. A stolen cookie is at least in my eyes a very rare issue. Only to present the raw IP to the user in such a case is not helpful for unexperienced users, we should get more and additional info's about this IP address, like location, carrier ip address pool/range from specific carrier and time of this specific login. This info's should be gathered only at the time, this issue occurs, but not saved to the db, we need only the IP address.

In my bookmark back-end, i use a similar technique, feel free to use it here to:

function ip_info() {
	$ipArr = [];
	if(!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    } else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    
    $ipArr['ip'] = $ip;
    $wArr = preg_split('/\r\n|\r|\n/', shell_exec("whois '".addslashes($ipArr['ip'])."'"));
	foreach($wArr as $ipi ) {
		$iarr = explode(": ", $ipi);
		if($iarr[0] == "descr") {
			$ipArr['de'] = trim($iarr[1]);
			break;
		}
	}
	
	$ip_info = @json_decode(file_get_contents("http://www.geoplugin.net/json.gp?ip=".$ipArr['ip']));
	if($ip_info && $ip_info->geoplugin_countryName != null){
		$ipArr['co'] = $ip_info->geoplugin_continentName;
		$ipArr['ct'] = $ip_info->geoplugin_countryName;
		$ipArr['re'] = $ip_info->geoplugin_region;
		$ipArr['ua'] = $_SERVER['HTTP_USER_AGENT'];
		$ipArr['tm'] = time();
	}
	
	return $ipArr;
}

If saving the IP address in the database is fine for you, i can try to make pull request. But since is a huge privacy aspect, I'm not sure, if this i fine for your.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Offerel