Merge pull request #693 from OmarElGabry/develop

[testing] Security Enhancements(Session, Cookie, CSRF) & Encryption.

Author: panique

application/_installation/02-create-table-users.sql

@@ -1,5 +1,6 @@
 CREATE TABLE IF NOT EXISTS `huge`.`users` (
  `user_id` int(11) NOT NULL AUTO_INCREMENT COMMENT 'auto incrementing user_id of each user, unique index',
+ `session_id` varchar(48) DEFAULT NULL COMMENT 'stores session cookie id to prevent session concurrency',
  `user_name` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'user''s name, unique',
  `user_password_hash` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL COMMENT 'user''s password in salted and hashed format',
  `user_email` varchar(64) COLLATE utf8_unicode_ci NOT NULL COMMENT 'user''s email, unique',
@@ -22,9 +23,9 @@ CREATE TABLE IF NOT EXISTS `huge`.`users` (
  UNIQUE KEY `user_email` (`user_email`)
 ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='user data';
 
-INSERT INTO `huge`.`users` (`user_id`, `user_name`, `user_password_hash`, `user_email`, `user_active`, `user_deleted`, `user_account_type`,
+INSERT INTO `huge`.`users` (`user_id`, `session_id`, `user_name`, `user_password_hash`, `user_email`, `user_active`, `user_deleted`, `user_account_type`,
 `user_has_avatar`, `user_remember_me_token`, `user_creation_timestamp`, `user_suspension_timestamp`, `user_last_login_timestamp`,
 `user_failed_logins`, `user_last_failed_login`, `user_activation_hash`, `user_password_reset_hash`,
 `user_password_reset_timestamp`, `user_provider_type`) VALUES
-  (1, 'demo', '$2y$10$OvprunjvKOOhM1h9bzMPs.vuwGIsOqZbw88rzSyGCTJTcE61g5WXi', '[email protected]', 1, 0, 7, 0, NULL, 1422205178, NULL, 1422209189, 0, NULL, NULL, NULL, NULL, 'DEFAULT'),
-  (2, 'demo2', '$2y$10$OvprunjvKOOhM1h9bzMPs.vuwGIsOqZbw88rzSyGCTJTcE61g5WXi', '[email protected]', 1, 0, 1, 0, NULL, 1422205178, NULL, 1422209189, 0, NULL, NULL, NULL, NULL, 'DEFAULT');
+  (1, NULL, 'demo', '$2y$10$OvprunjvKOOhM1h9bzMPs.vuwGIsOqZbw88rzSyGCTJTcE61g5WXi', '[email protected]', 1, 0, 7, 0, NULL, 1422205178, NULL, 1422209189, 0, NULL, NULL, NULL, NULL, 'DEFAULT'),
+  (2, NULL, 'demo2', '$2y$10$OvprunjvKOOhM1h9bzMPs.vuwGIsOqZbw88rzSyGCTJTcE61g5WXi', '[email protected]', 1, 0, 1, 0, NULL, 1422205178, NULL, 1422209189, 0, NULL, NULL, NULL, NULL, 'DEFAULT');

application/config/config.development.php

@@ -83,9 +83,22 @@
 	 * COOKIE_PATH is the path the cookie is valid on, usually "/" to make it valid on the whole domain.
 	 * @see http://stackoverflow.com/q/9618217/1114320
 	 * @see php.net/manual/en/function.setcookie.php
+     *
+     * COOKIE_DOMAIN: The domain where the cookie is valid for.
+     *      COOKIE_DOMAIN mightn't work with "localhost", ".localhost", "127.0.0.1", or ".127.0.0.1". If so, leave it as empty string, false or null.
+     *      @see http://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain
+     *      @see http://php.net/manual/en/function.setcookie.php#73107
+     *
+     * COOKIE_SECURE: If the cookie will be transferred through secured connection(SSL). It's highly recommended to set it to true if you have secured connection.
+     * COOKIE_HTTP: If set to true, Cookies that can't be accessed by JS - Highly recommended!
+     * SESSION_RUNTIME: How long should a session cookie be valid by seconds, 604800 = 1 week.
 	 */
 	'COOKIE_RUNTIME' => 1209600,
 	'COOKIE_PATH' => '/',
+    'COOKIE_DOMAIN' => "",
+    'COOKIE_SECURE' => false,
+    'COOKIE_HTTP' => true,
+    'SESSION_RUNTIME' => 604800,
 	/**
 	 * Configuration for: Avatars/Gravatar support
 	 * Set to true if you want to use "Gravatar(s)", a service that automatically gets avatar pictures via using email
@@ -99,6 +112,12 @@
 	'AVATAR_SIZE' => 44,
 	'AVATAR_JPEG_QUALITY' => 85,
 	'AVATAR_DEFAULT_IMAGE' => 'default.jpg',
+    /**
+     * Configuration for: Encryption Keys
+     *
+     */
+    'ENCRYPTION_KEY' => '6#x0gÊìf^25cL1f$08&',
+    'HMAC_SALT' => '8qk9c^4L6d#15tM8z7n0%',
 	/**
 	 * Configuration for: Email server credentials
 	 *

application/controller/LoginController.php

@@ -35,6 +35,12 @@ public function index()
      */
     public function login()
     {
+
+        // check if csrf token is valid
+        if (!Csrf::isTokenValid()) {
+            self::logout();
+        }
+
         // perform the login method, put result (true or false) into $login_successful
         $login_successful = LoginModel::login(
             Request::post('user_name'), Request::post('user_password'), Request::post('set_remember_me_cookie')
@@ -60,6 +66,7 @@ public function logout()
     {
         LoginModel::logout();
         Redirect::home();
+        exit();
     }
 
     /**
@@ -113,6 +120,12 @@ public function editUsername()
     public function editUsername_action()
     {
         Auth::checkAuthentication();
+
+        // check if csrf token is valid
+        if (!Csrf::isTokenValid()) {
+            self::logout();
+        }
+
         UserModel::editUserName(Request::post('user_name'));
         Redirect::to('login/index');
     }

application/core/Auth.php

@@ -18,6 +18,8 @@ public static function checkAuthentication()
         // initialize the session (if not initialized yet)
         Session::init();
 
+        // self::checkSessionConcurrency();
+
         // if user is NOT logged in...
         // (if user IS logged in the application will not run the code below and therefore just go on)
         if (!Session::userIsLoggedIn()) {
@@ -45,6 +47,8 @@ public static function checkAdminAuthentication()
         // initialize the session (if not initialized yet)
         Session::init();
 
+        // self::checkSessionConcurrency();
+
         // if user is not logged in or is not an admin (= not role type 7)
         if (!Session::userIsLoggedIn() || Session::get("user_account_type") != 7) {
             // ... then treat user as "not logged in", destroy session, redirect to login page
@@ -56,4 +60,19 @@ public static function checkAdminAuthentication()
             exit();
         }
     }
+
+    /**
+     * Detects if there is concurrent session(i.e. another user logged in with the same current user credentials),
+     * If so, then logout.
+     *
+     */
+    public static function checkSessionConcurrency(){
+        if(Session::userIsLoggedIn()){
+            if(Session::isConcurrentSessionExists()){
+                LoginModel::logout();
+                Redirect::home();
+                exit();
+            }
+        }
+    }
 }

application/core/Controller.php

@@ -20,6 +20,9 @@ function __construct()
         // always initialize a session
         Session::init();
 
+        // check session concurrency
+        Auth::checkSessionConcurrency();
+
         // user is not logged in but has remember-me-cookie ? then try to login with cookie ("remember me" feature)
         if (!Session::userIsLoggedIn() AND Request::cookie('remember_me')) {
             header('location: ' . Config::get('URL') . 'login/loginWithCookie');

application/core/Csrf.php

@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * Cross Site Request Forgery Class
+ *
+ */
+
+/**
+ * Instructions:
+ *
+ * At your form, before the submit button put:
+ * <input type="hidden" name="csrf_token" value="<?= Csrf::makeToken(); ?>" />
+ *
+ * This validation needed in the controller action method to validate CSRF token submitted with the form:
+ * if (!Csrf::isTokenValid()) {
+ *      Login::logout();
+ *  }
+ * And that's all
+ */
+class Csrf {
+
+    /**
+     * get CSRF token and generate a new one if expired
+     *
+     * @access public
+     * @static static method
+     * @return string
+     */
+    public static function makeToken() {
+
+        $max_time    = 60 * 60 * 24; // token is valid for 1 day
+        $stored_time = Session::get('csrf_token_time');
+        $csrf_token  = Session::get('csrf_token');
+
+        if($max_time + $stored_time <= time() || empty($csrf_token)){
+            Session::set('csrf_token', md5(uniqid(rand(), true)));
+            Session::set('csrf_token_time', time());
+        }
+
+        return Session::get('csrf_token');
+    }
+
+    /**
+     * checks if CSRF token in session is same as in the form submitted
+     *
+     * @access public
+     * @static static method
+     * @return bool
+     */
+    public static function isTokenValid(){
+        $token = Request::post('csrf_token');
+        return $token === Session::get('csrf_token') && !empty($token);
+    }
+}

application/core/Encryption.php

@@ -0,0 +1,142 @@
+<?php
+
+/**
+ * Encryption and Decryption Class
+ *
+ */
+
+class Encryption{
+
+    /**
+     * Cipher algorithm
+     *
+     * @var string
+     */
+    const CIPHER = 'aes-256-cbc';
+
+    /**
+     * Hash function
+     *
+     * @var string
+     */
+    const HASH_FUNCTION = 'sha256';
+
+    /**
+     * constructor for Encryption object.
+     *
+     * @access private
+     */
+    private function __construct(){}
+
+    /**
+     * Encrypt a string.
+     *
+     * @access public
+     * @static static method
+     * @param  string	$plain
+     * @return string
+     * @throws Exception If functions don't exists
+     */
+    public static function encrypt($plain){
+
+        if(!function_exists('openssl_cipher_iv_length') ||
+            !function_exists('openssl_random_pseudo_bytes') ||
+            !function_exists('openssl_encrypt')){
+            throw new Exception("Encryption function don't exists");
+        }
+
+        // generate initialization vector,
+        // this will make $iv different every time,
+        // so, encrypted string will be also different.
+        $iv_size = openssl_cipher_iv_length(self::CIPHER);
+        $iv      = openssl_random_pseudo_bytes($iv_size);
+
+        // generate key for authentication using ENCRYPTION_KEY & HMAC_SALT
+        $key = mb_substr(hash(self::HASH_FUNCTION, Config::get('ENCRYPTION_KEY') . Config::get('HMAC_SALT')), 0, 32, '8bit');
+
+        // append initialization vector
+        $encrypted_string = openssl_encrypt($plain, self::CIPHER, $key, OPENSSL_RAW_DATA, $iv);
+        $ciphertext       = $iv . $encrypted_string;
+
+        // apply the HMAC
+        $hmac = hash_hmac('sha256', $ciphertext, $key);
+
+        return $hmac . $ciphertext;
+    }
+
+    /**
+     * Decrypted a string.
+     *
+     * @access public
+     * @static static method
+     * @param  string $ciphertext
+     * @return string
+     * @throws Exception If $ciphertext is empty, or If functions don't exists
+     */
+    public static function decrypt($ciphertext){
+
+        if(empty($ciphertext)){
+            throw new Exception("the string to decrypt can't be empty");
+        }
+
+        if(!function_exists('openssl_cipher_iv_length') ||
+            !function_exists('openssl_decrypt')){
+            throw new Exception("Encryption function don't exists");
+        }
+
+        // generate key used for authentication using ENCRYPTION_KEY & HMAC_SALT
+        $key = mb_substr(hash(self::HASH_FUNCTION, Config::get('ENCRYPTION_KEY') . Config::get('HMAC_SALT')), 0, 32, '8bit');
+
+        // split cipher into: hmac, cipher & iv
+        $macSize    = 64;
+        $hmac 	    = mb_substr($ciphertext, 0, $macSize, '8bit');
+        $iv_cipher  = mb_substr($ciphertext, $macSize, null, '8bit');
+
+        // generate original hmac & compare it with the one in $ciphertext
+        $originalHmac = hash_hmac('sha256', $iv_cipher, $key);
+        if(!self::hashEquals($hmac, $originalHmac)){
+            return false;
+        }
+
+        // split out the initialization vector and cipher
+        $iv_size = openssl_cipher_iv_length(self::CIPHER);
+        $iv      = mb_substr($iv_cipher, 0, $iv_size, '8bit');
+        $cipher  = mb_substr($iv_cipher, $iv_size, null, '8bit');
+
+        return openssl_decrypt($cipher, self::CIPHER, $key, OPENSSL_RAW_DATA, $iv);
+    }
+
+    /**
+     * A timing attack resistant comparison.
+     *
+     * @access private
+     * @static static method
+     * @param string $hmac The hmac from the ciphertext being decrypted.
+     * @param string $compare The comparison hmac.
+     * @return bool
+     * @see https://github.com/sarciszewski/php-future/blob/bd6c91fb924b2b35a3e4f4074a642868bd051baf/src/Security.php#L36
+     */
+    private static function hashEquals($hmac, $compare){
+
+        if (function_exists('hash_equals')) {
+            return hash_equals($hmac, $compare);
+        }
+
+        // if hash_equals() is not available,
+        // then use the following snippet.
+        // It's equivalent to hash_equals() in PHP 5.6.
+        $hashLength    = mb_strlen($hmac, '8bit');
+        $compareLength = mb_strlen($compare, '8bit');
+
+        if ($hashLength !== $compareLength) {
+            return false;
+        }
+
+        $result = 0;
+        for ($i = 0; $i < $hashLength; $i++) {
+            $result |= (ord($hmac[$i]) ^ ord($compare[$i]));
+        }
+
+        return $result === 0;
+    }
+}