[SOLVED] Admin no Session End?

[ejectcore]

Hello prestashop

 

I have come across the following security issue

 

First I logged in to the admin a few days ago to work on a project.

today I expected to log in again but it just went straight in without verifying my username & password

 

We really need a login timeout after say 1 hour not in use  ???

[haluzman]

yes, that is right. i noticed that too. it has no time out.

[Pursuant]

It has never had a timeout... Which has always concerned me. It would be something that could be easily added in the final v1 Stable.

[ejectcore]

I have emailed the prestashop team regarding the session & cart cookie bug, lets hope they can come up with a sollution for the satble release & if possible resolved before v1 Stable.

 

I know you guys are really busy but you seem to be ignoring some emails I have sent in the past couple of weeks

[ejectcore]

I have now spoken to prestashop team about this issue & it seems this is not a bug after all, i was told the time-out duration of the cookie can be manually edited in the header.php

 

I hope i'm not missing somthing simple but as far as I can see there is no cookie to edit?

however I have found  this on line 50

Cookie.php which I'm not sure has any relevance  ???

 

$this->_expire = isset($expire) ? intval($expire) : (time() + 1728000);

 

 

<?php
require_once(dirname(__FILE__).'/init.php');

/* CSS */
$css_files[_THEME_CSS_DIR_.'global.css'] = 'all';

/* Hooks are volontary out the initialize array (need those variables already assigned) */
$smarty->assign(array(
'HOOK_HEADER' => Module::hookExec('header'),
'HOOK_LEFT_COLUMN' => Module::hookExec('leftColumn'),
'HOOK_TOP' => Module::hookExec('top')
));

if(isset($css_files) AND !empty($css_files)) $smarty->assign('css_files', $css_files);
if(isset($js_files) AND !empty($js_files)) $smarty->assign('js_files', $js_files);

/* Display a maintenance page if shop is closed */
if (isset($maintenance))
{
header('HTTP/1.1 503 temporarily overloaded');
$smarty->display(_PS_THEME_DIR_.'maintenance.tpl');
exit;
}

$smarty->display(_PS_THEME_DIR_.'header.tpl');

?>

[ejectcore]

These questions still remain unanswered. 

We can only assume you are dealing with these issues for the next release of RC4  ???

 

Although we are now on our 3rd Shop Conversion I really need to keep in contact with development of this system

As I have said we are prepared to pay for modifications but feel others should pay towards development costs as it may be useful to others in this community

 

We hope to hear from you shortly  :-

[d0m1n1k]

i'm a bit confused about that point, because:

 

admin/header.inc.php:

$cookie = new Cookie('psAdmin', substr($_SERVER['PHP_SELF'], strlen(__PS_BASE_URI__), -10));

 

uses 4 params

 

and Cookie.php offers

function __construct($name, $path = '', $expire = NULL)

just 3

 

so the -10 gets ignored and the $expire is set by strlen(__PS_BASE_URI__) which doesn't make sense.

 

[edit]

 

i don't know which connections get broken, but i think that changing

 

Cookie.php

#50

$this->_expire = isset($expire) ? intval($expire) : (time() + 1728000);

to

#50

$this->_expire = (time() + 7200); 

would set the expire time of the cookie to 2 hours

 

best regards

Dominik

 

[Pursuant]

I think the problem might lie within the substr statement. No, nothing is wrong. It is just not sending an expire time. change

$cookie = new Cookie('psAdmin', substr($_SERVER['PHP_SELF'], strlen(__PS_BASE_URI__), -10));

to

$cookie = new Cookie('psAdmin', substr($_SERVER['PHP_SELF'], strlen(__PS_BASE_URI__), -10), time() + 7200);

 

and it should work fine. $expire = NULL just sets a default value if none is specified by the call.

[ejectcore]

Thanks for the help with this 

 

I have changed header.inc.php

do I need to change this Cookie in login.php or anywhere else?

I tried testing this by reducing down the time to + 300, but still I am logged in until manually logging out

Ideally would it not be better to use sessions so once the browser has closed, this would log you out.

 

Just a thought  :-

 

/* Getting cookie or logout */
if (!class_exists('Cookie'))
exit();

$cookie = new Cookie('psAdmin', substr($_SERVER['PHP_SELF'], strlen(__PS_BASE_URI__), -10), time() + 3200);
if (isset($_GET['logout'])) {
$url_redirect = '';
$cookie->logout();
}

[ejectcore]

All working now other clearing cookies & reloading browser 

I will look into the cart cookie over the weekend to see if i can resolve this using a similar solution  :-

 

thanks for all your help.

it's nice to know everyone is willing to chip in to help each other in their hour of need.

that's what a commnuty is all about  8)

 

 

[ObsessionO]

That's the issue I just posted about yesterday. I guess it's still not fixed. Assuming it's on the list of things to do.

I think prestashop is a wonderful product, but security is also very important when choosing an application that will be used by dozens of other people. You want to make sure they are safe and their information is safe when they use your site.

[ruppon]

I found the solution to force ending admin/customer session after restart browser. This workaround is based on session_start(). Tested on PS 1.2.5.

For admin session
Open {admin_folder}/login.php, find:

           /* Creating cookie */
           $cookie->id_employee = $employee->id;
           $cookie->lastname = $employee->lastname;
           $cookie->firstname = $employee->firstname;

Insert before:

           session_start(); 
           $_SESSION['loggedadmin'] = 1;

Open {admin_folder}/init.php, find:

$cookie = new Cookie('psAdmin', substr($_SERVER['SCRIPT_NAME'], strlen(__PS_BASE_URI__), -10));
if (isset($_GET['logout'])) {
   $url_redirect = '';
   $cookie->logout();
}

Replace with:

$cookie = new Cookie('psAdmin', substr($_SERVER['SCRIPT_NAME'], strlen(__PS_BASE_URI__), -10));
session_start();     
if (isset($_GET['logout']) || !isset($_SESSION['loggedadmin']) ) {
   $url_redirect = '';
   session_destroy();
   $cookie->logout();
}

For customer session
Open {ps_root_folder}/authentication.php, find:

           $cookie->id_customer = intval($customer->id);
           $cookie->customer_lastname = $customer->lastname;
           $cookie->customer_firstname = $customer->firstname;
           $cookie->logged = 1;

Insert before:

           session_start();
           $_SESSION['loggedcustomer'] = 1;

Open {ps_root_folder}/identity.php, find:

if (!$cookie->isLogged())
   Tools::redirect('authentication.php?back=identity.php');

Insert before:

session_start();
if (!isset($_SESSION['loggedcustomer'])) {
   session_destroy();
   $cookie->logout();
   Tools::redirect('authentication.php?back=identity.php');
}

[HolyGuyZ]

problems came back again on ps1.4.4.1. and the above coding doesn't exist in ps1.4.4.1.