feat: secure cookie login with password_hash

- use password_hash() and password_verify() to secure cookie login Signed-off-by: SPC <[email protected]>
xiaomlove · Jan 4, 2025 · e051f8c · e051f8c
1 parent 353a013
commit e051f8c
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 63 deletions.
diff --git a/app/Auth/NexusWebGuard.php b/app/Auth/NexusWebGuard.php
@@ -70,7 +70,7 @@ public function validate(array $credentials = [])
         }
         $b_id = base64($credentials["c_secure_uid"],false);
         $id = intval($b_id ?? 0);
-        if (!$id || !is_valid_id($id) || strlen($credentials["c_secure_pass"]) != 32) {
+        if (!$id || !is_valid_id($id)) {
             return false;
         }
         $user = $this->provider->retrieveById($id);

diff --git a/app/Auth/NexusWebUserProvider.php b/app/Auth/NexusWebUserProvider.php
@@ -76,16 +76,17 @@ public function retrieveByCredentials(array $credentials)
      */
     public function validateCredentials(Authenticatable $user, array $credentials)
     {
+        $passh = base64_decode($credentials["c_secure_pass"]);
         if ($credentials["c_secure_login"] == base64("yeah")) {
             /**
              * Not IP related
              * @since 1.8.0
              */
-            if ($credentials["c_secure_pass"] != md5($user->passhash)) {
+            if (!password_verify($user->passhash, $passh)) {
                 return false;
             }
         } else {
-            if ($credentials["c_secure_pass"] !== md5($user->passhash)) {
+            if (!password_verify($user->passhash, $passh)) {
                 return false;
             }
         }

diff --git a/app/Http/Controllers/AuthenticateController.php b/app/Http/Controllers/AuthenticateController.php
@@ -59,8 +59,8 @@ public function passkeyLogin($passkey)
                  * @since 1.8.0
                  */
 //                $passhash = md5($user->passhash . $ip);
-                $passhash = md5($user->passhash);
-                do_log(sprintf('passhash: %s, ip: %s, md5: %s', $user->passhash, $ip, $passhash));
+                $passhash = base64_encode(password_hash($user->passhash, PASSWORD_DEFAULT))
+                do_log(sprintf('passhash: %s, ip: %s, password_hash: %s', $user->passhash, $ip, $passhash));
                 logincookie($user->id, $passhash,false, get_setting('system.cookie_valid_days', 365) * 86400, true, true, true);
                 $user->last_login = now();
                 $user->save();

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
@@ -86,23 +86,25 @@ private function getUserByCookie($cookie)
         }
         $b_id = base64($cookie["c_secure_uid"],false);
         $id = intval($b_id ?? 0);
-        if (!$id || !is_valid_id($id) || strlen($cookie["c_secure_pass"]) != 32) {
+        if (!$id || !is_valid_id($id)) {
             return null;
         }
         $user = User::query()->find($id);
         if (!$user) {
             return null;
         }
+
+        $passh = base64_decode($cookie["c_secure_pass"]);
         if ($cookie["c_secure_login"] == base64("yeah")) {
             /**
              * Not IP related
              * @since 1.8.0
              */
-            if ($cookie["c_secure_pass"] != md5($user->passhash)) {
+            if (!password_verify($user->passhash, $passh)) {
                 return null;
             }
         } else {
-            if ($cookie["c_secure_pass"] !== md5($user->passhash)) {
+            if (!password_verify($user->passhash, $passh)) {
                 return null;
             }
         }

diff --git a/include/functions.php b/include/functions.php
@@ -1980,24 +1980,14 @@ function userlogin() {
 	    do_log("$log, param not enough");
 	    return $loginResult = false;
     }
-	if ($_COOKIE["c_secure_login"] == base64("yeah"))
-	{
-		//if (empty($_SESSION["s_secure_uid"]) || empty($_SESSION["s_secure_pass"]))
-		//return;
-	}
+
 	$b_id = base64($_COOKIE["c_secure_uid"],false);
 	$id = intval($b_id ?? 0);
-	if (!$id || !is_valid_id($id) || strlen($_COOKIE["c_secure_pass"]) != 32) {
+	if (!$id || !is_valid_id($id)) {
         do_log("$log, invalid c_secure_uid");
         return $loginResult = false;
     }
 
-	if ($_COOKIE["c_secure_login"] == base64("yeah"))
-	{
-		//if (strlen($_SESSION["s_secure_pass"]) != 32)
-		//return;
-	}
-
 	$res = sql_query("SELECT * FROM users WHERE users.id = ".sqlesc($id)." AND users.enabled='yes' AND users.status = 'confirmed' LIMIT 1");
 	$row = mysql_fetch_array($res);
 	if (!$row) {
@@ -2009,29 +1999,31 @@ function userlogin() {
 
 	//die(base64_decode($_COOKIE["c_secure_login"]));
 
-	if ($_COOKIE["c_secure_login"] == base64("yeah"))
-	{
+    if ($_COOKIE["c_secure_login"] == base64("yeah"))
+    {
         /**
          * Not IP related
          * @since 1.8.0
          */
 //        $md5 = md5($row["passhash"].$ip);
-        $md5 = md5($row["passhash"]);
-        $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $md5";
-		if ($_COOKIE["c_secure_pass"] != $md5) {
-		    do_log("$log, c_secure_pass != md5");
+        $passh = base64_decode($_COOKIE["c_secure_pass"]);
+        $verify = password_verify($row["passhash"], $passh);
+        $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, password_hash: $passh";
+        if (!$verify) {
+            do_log("$log, password_verify fail!");
             return $loginResult = false;
         }
-	}
-	else
-	{
-	    $md5 = md5($row["passhash"]);
-        $log .= "$log, passhash: {$row['passhash']}, md5: $md5";
-		if ($_COOKIE["c_secure_pass"] !== $md5) {
-            do_log("$log, c_secure_pass != md5");
+    }
+    else
+    {
+        $passh = base64_decode($_COOKIE["c_secure_pass"]);
+        $verify = password_verify($row["passhash"], $passh);
+        $log .= ", passhash: {$row['passhash']}, password_hash: $passh";
+        if (!$verify) {
+            do_log("$log, password_verify fail!");
             return $loginResult = false;
         }
-	}
+    }
 
 	if ($_COOKIE["c_secure_login"] == base64("yeah"))
 	{
@@ -3015,22 +3007,22 @@ function logincookie($id, $passhash, $updatedb = 1, $expires = 0x7fffffff, $secu
 	if ($expires != 0x7fffffff)
 	$expires = time()+$expires;
 
-	setcookie("c_secure_uid", base64($id), $expires, "/", "", false, true);
-	setcookie("c_secure_pass", $passhash, $expires, "/", "", false, true);
+	setcookie("c_secure_uid", base64($id), $expires, "/", "", $ssl, true);
+	setcookie("c_secure_pass", $passhash, $expires, "/", "", $ssl, true);
 	if($ssl)
-	setcookie("c_secure_ssl", base64("yeah"), $expires, "/", "", false, true);
+	setcookie("c_secure_ssl", base64("yeah"), $expires, "/", "", $ssl, true);
 	else
-	setcookie("c_secure_ssl", base64("nope"), $expires, "/", "", false, true);
+	setcookie("c_secure_ssl", base64("nope"), $expires, "/", "", $ssl, true);
 
 	if($trackerssl)
-	setcookie("c_secure_tracker_ssl", base64("yeah"), $expires, "/", "", false, true);
+	setcookie("c_secure_tracker_ssl", base64("yeah"), $expires, "/", "", $ssl, true);
 	else
-	setcookie("c_secure_tracker_ssl", base64("nope"), $expires, "/", "", false, true);
+	setcookie("c_secure_tracker_ssl", base64("nope"), $expires, "/", "", $ssl, true);
 
 	if ($securelogin)
-	setcookie("c_secure_login", base64("yeah"), $expires, "/", "", false, true);
+	setcookie("c_secure_login", base64("yeah"), $expires, "/", "", $ssl, true);
 	else
-	setcookie("c_secure_login", base64("nope"), $expires, "/", "", false, true);
+	setcookie("c_secure_login", base64("nope"), $expires, "/", "", $ssl, true);
 
 
 	if ($updatedb)

diff --git a/public/confirm.php b/public/confirm.php
@@ -32,13 +32,18 @@
 
 if ($securelogin == "yes")
 {
-	$securelogin_indentity_cookie = true;
-	$passh = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]);
+    $securelogin_indentity_cookie = true;
+    /**
+     * Not IP related
+     * @since 1.8.0
+     */
+    //	$passh = md5($row["passhash"].$_SERVER["REMOTE_ADDR"]);
+    $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT));
 }
-else	// when it's op, default is not use secure login
+else    // when it's op, default is not use secure login
 {
-	$securelogin_indentity_cookie = false;
-	$passh = md5($row["passhash"]);
+    $securelogin_indentity_cookie = false;
+    $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT));
 }
 logincookie($id, $passh,1,get_setting('system.cookie_valid_days', 365) * 86400,$securelogin_indentity_cookie);
 //sessioncookie($row["id"], $passh,false);

diff --git a/public/takelogin.php b/public/takelogin.php
@@ -46,20 +46,20 @@ function bark($text = "")
 
 if (isset($_POST["securelogin"]) && $_POST["securelogin"] == "yes")
 {
-	$securelogin_indentity_cookie = true;
+    $securelogin_indentity_cookie = true;
     /**
      * Not IP related
      * @since 1.8.0
      */
 //	$passh = md5($row["passhash"].$ip);
-	$passh = md5($row["passhash"]);
-	$log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $passh";
+    $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT));
+    $log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, password_hash: $passh";
 }
 else
 {
-	$securelogin_indentity_cookie = false;
-	$passh = md5($row["passhash"]);
-    $log .= ",  passhash: {$row['passhash']}, md5: $passh";
+    $securelogin_indentity_cookie = false;
+    $passh = base64_encode(password_hash($row["passhash"], PASSWORD_DEFAULT));
+    $log .= ",  passhash: {$row['passhash']}, password_hash: $passh";
 }
 
 if ($securelogin=='yes' || (isset($_POST["ssl"]) && $_POST["ssl"] == "yes"))

diff --git a/public/usercp.php b/public/usercp.php
@@ -770,16 +770,21 @@ function browsecheck($dbtable, $cbname, array &$result){
 					$updateset[] = "passhash = " . sqlesc($passhash);
 
 					//die($securelogin . base64_decode($_COOKIE["c_secure_login"]));
-					if ($_COOKIE["c_secure_login"] == base64("yeah"))
-					{
-						$passh = md5($passhash . $_SERVER["REMOTE_ADDR"]);
-						$securelogin_indentity_cookie = true;
-					}
-					else
-					{
-						$passh = md5($passhash);
-						$securelogin_indentity_cookie = false;
-					}
+                    if ($_COOKIE["c_secure_login"] == base64("yeah"))
+                    {
+                        /**
+                         * Not IP related
+                         * @since 1.8.0
+                         */
+                        //	$passh = md5($passhash . $_SERVER["REMOTE_ADDR"]);
+                        $passh = base64_encode(password_hash($passhash, PASSWORD_DEFAULT));
+                        $securelogin_indentity_cookie = true;
+                    }
+                    else
+                    {
+                        $passh = base64_encode(password_hash($passhash, PASSWORD_DEFAULT));
+                        $securelogin_indentity_cookie = false;
+                    }
 
 					if($_COOKIE["c_secure_ssl"] == base64("yeah"))
 						$ssl = true;