From 21105c73a6b7b4fa0ba0c2cba9e1738a7d9c5d2d Mon Sep 17 00:00:00 2001
From: Alexandros Diamantidis <adia@noc.uoa.gr>
Date: Fri, 22 Oct 2021 11:17:15 +0300
Subject: [PATCH] Logout: split in separate file. Regenerate session id on
 login / logout

--HG--
branch : 3.12
---
 include/baseTheme.php                       |  2 +-
 include/main_lib.php                        |  1 +
 index.php                                   | 47 ++++-----------
 main/toolbox.php                            |  2 +-
 main/unreguser.php                          |  2 +-
 modules/auth/logout.php                     | 66 +++++++++++++++++++++
 modules/auth/transition/auth_transition.php | 18 +++---
 7 files changed, 91 insertions(+), 47 deletions(-)
 create mode 100644 modules/auth/logout.php

diff --git a/include/baseTheme.php b/include/baseTheme.php
index d5ad8bc3b2..5e358ee30c 100644
--- a/include/baseTheme.php
+++ b/include/baseTheme.php
@@ -262,7 +262,7 @@ function get_theme_class($class) {
         $t->set_var('LANG_STATS', q($GLOBALS['langMyStats']));
         $t->set_var('STATS_LINK', $urlAppend . 'modules/usage/?t=u');
         $t->set_var('LANG_LOGOUT', q($langLogout));
-        $t->set_var('LOGOUT_LINK', $urlAppend . 'index.php?logout=yes');
+        $t->set_var('LOGOUT_LINK', $urlAppend . 'modules/auth/logout.php');
         $t->set_var('MY_COURSES', q($GLOBALS['langMyCoursesSide']));
         $t->set_var('MY_MESSAGES', q($GLOBALS['langNewMyMessagesSide']));
         $t->set_var('LANG_ANNOUNCEMENTS', q($GLOBALS['langMyAnnouncements']));
diff --git a/include/main_lib.php b/include/main_lib.php
index 29ea98ebf0..0cc6de3cf4 100644
--- a/include/main_lib.php
+++ b/include/main_lib.php
@@ -4079,6 +4079,7 @@ function warnCourseInvalidDepartment($prompt=false) {
  * 'am'          - Student id number
  */
 function login_hook($options) {
+    session_regenerate_id();
     if (!isset($options['am'])) {
         $options['am'] = '';
     }
diff --git a/index.php b/index.php
index ec3413bed5..090d96b5b3 100644
--- a/index.php
+++ b/index.php
@@ -70,44 +70,21 @@
     $uid = 0;
 }
 
-if (isset($_GET['logout']) and $uid) {
-    $cas = ($session->getLoginMethod() == 'cas')? get_auth_settings(7): false;
-    Database::get()->query("INSERT INTO loginout (loginout.id_user,
-                loginout.ip, loginout.when, loginout.action)
-                VALUES (?d, ?s, " .DBHelper::timeAfter() . ", 'LOGOUT')", $uid, Log::get_client_ip());
-    foreach (array_keys($_SESSION) as $key) {
-        unset($_SESSION[$key]);
-    }
-
-    // include HybridAuth libraries
-    require_once 'modules/auth/methods/hybridauth/config.php';
-
-    $config = get_hybridauth_config();
-    $hybridauth = new Hybridauth\Hybridauth( $config );
-
-    session_destroy();
-    $uid = 0;
-    if ($cas and isset($cas['cas_ssout']) and intval($cas['cas_ssout']) === 1) {
-        phpCAS::client(SAML_VERSION_1_1, $cas['cas_host'], intval($cas['cas_port']), $cas['cas_context'], FALSE);
-        phpCAS::logoutWithRedirectService($urlServer);
-    }
-}
-
 // if we try to login... then authenticate user.
 $warning = '';
 
 if(isset($_SESSION['hybridauth_callback'])) {
-	switch($_SESSION['hybridauth_callback']) {
-		case 'login':
-			$_GET['provider'] = $_SESSION['hybridauth_provider'] ?? '';
-			break;
-		case 'profile':
-			$provider = $_SESSION['hybridauth_provider'] ?? '';
-			header('Location: /main/profile/profile.php?action=connect&provider='.$provider.'&'.$_SERVER['QUERY_STRING']);
-			exit;
+    switch($_SESSION['hybridauth_callback']) {
+        case 'login':
+            $_GET['provider'] = $_SESSION['hybridauth_provider'] ?? '';
+            break;
+        case 'profile':
+            $provider = $_SESSION['hybridauth_provider'] ?? '';
+            header('Location: /main/profile/profile.php?action=connect&provider='.$provider.'&'.$_SERVER['QUERY_STRING']);
+            exit;
         case 'auth_test':
-			$provider = $_SESSION['hybridauth_provider'] ?? '';
-			header('Location: /modules/admin/auth_test.php?auth='.$provider.'&'.$_SERVER['QUERY_STRING']);
+            $provider = $_SESSION['hybridauth_provider'] ?? '';
+            header('Location: /modules/admin/auth_test.php?auth='.$provider.'&'.$_SERVER['QUERY_STRING']);
             exit;
     }
 }
@@ -115,7 +92,7 @@
 if (isset($_SESSION['shib_uname'])) {
     // authenticate via shibboleth
     shib_cas_login('shibboleth');
-} elseif (isset($_SESSION['cas_uname']) && !isset($_GET['logout'])) {
+} elseif (isset($_SESSION['cas_uname'])) {
     // authenticate via cas
     shib_cas_login('cas');
 } elseif (isset($_GET['provider'])) {
@@ -144,7 +121,7 @@
 }
 
 // check if we are guest user
-if (!$upgrade_begin and $uid and !isset($_GET['logout'])) {
+if (!$upgrade_begin and $uid) {
     if (check_guest()) {
         // if the user is a guest send him straight to the corresponding lesson
         $guest = Database::get()->querySingle("SELECT code FROM course_user, course
diff --git a/main/toolbox.php b/main/toolbox.php
index 939e9407ae..e6f18234d3 100644
--- a/main/toolbox.php
+++ b/main/toolbox.php
@@ -115,7 +115,7 @@
 $t->set_var('langSelectFromMenu', js_escape($langSelectFromMenu));
 if ($uid) {
     $t->set_var('loginLogout', q($_SESSION['givenname'] . ' ' . $_SESSION['surname']) .
-        " &nbsp; <a href='$urlAppend?logout=true'>$langLogout</a>");
+        " &nbsp; <a href='{$urlAppend}modules/auth/logout.php'>$langLogout</a>");
     $t->set_block('main', 'loginModalsBlock', 'delete');
 } else {
     $t->set_var('loginModal', 'loginModal');
diff --git a/main/unreguser.php b/main/unreguser.php
index e98362726a..110f153aae 100644
--- a/main/unreguser.php
+++ b/main/unreguser.php
@@ -94,7 +94,7 @@
 
         $tool_content .= action_bar(array(
             array('title' => $langLogout,
-                'url' => "../index.php?logout=yes",
+                'url' => $urlAppend . 'modules/auth/logout.php',
                 'icon' => 'fa-sign-out',
                 'level' => 'primary-label')));
         $tool_content .= "<div class='alert alert-success'>$langDelSuccess</br>$langThanks</div>";
diff --git a/modules/auth/logout.php b/modules/auth/logout.php
new file mode 100644
index 0000000000..1c86e37ca4
--- /dev/null
+++ b/modules/auth/logout.php
@@ -0,0 +1,66 @@
+<?php
+
+/* ========================================================================
+ * Open eClass 3.12
+ * E-learning and Course Management System
+ * ========================================================================
+ * Copyright 2003-2021  Greek Universities Network - GUnet
+ * A full copyright notice can be read in "/info/copyright.txt".
+ * For a full list of contributors, see "credits.txt".
+ *
+ * Open eClass is an open platform distributed in the hope that it will
+ * be useful (without any warranty), under the terms of the GNU (General
+ * Public License) as published by the Free Software Foundation.
+ * The full license can be read in "/info/license/license_gpl.txt".
+ *
+ * Contact address: GUnet Asynchronous eLearning Group,
+ *                  Network Operations Center, University of Athens,
+ *                  Panepistimiopolis Ilissia, 15784, Athens, Greece
+ *                  e-mail: info@openeclass.org
+ * ======================================================================== */
+
+/*
+ * @file logout.php
+ *
+ * @abstract Redirect users to this file to log them out
+ *
+ */
+
+require_once '../../include/baseTheme.php';
+require_once 'modules/auth/auth.inc.php';
+require_once 'modules/auth/methods/hybridauth/config.php';
+
+if ($uid) {
+    $login_method = $session->getLoginMethod();
+    Database::get()->query("INSERT INTO loginout (loginout.id_user,
+                loginout.ip, loginout.when, loginout.action)
+                VALUES (?d, ?s, " . DBHelper::timeAfter() . ", 'LOGOUT')", $uid, Log::get_client_ip());
+
+    $config = get_hybridauth_config();
+    $hybridauth = new Hybridauth\Hybridauth($config);
+    foreach ($hybridauth->getConnectedAdapters() as $adapter) {
+        $adapter->disconnect();
+    }
+
+    foreach (array_keys($_SESSION) as $key) {
+        unset($_SESSION[$key]);
+    }
+
+    if (ini_get("session.use_cookies")) {
+        $params = session_get_cookie_params();
+        setcookie(session_name(), '', time() - 42000,
+            $params['path'], $params['domain'],
+            $params['secure'], $params['httponly']
+        );
+    }
+
+    session_destroy();
+
+    $cas = ($login_method == 'cas')? get_auth_settings(7): false;
+    if ($cas and isset($cas['cas_ssout']) and intval($cas['cas_ssout']) === 1) {
+        phpCAS::client(SAML_VERSION_1_1, $cas['cas_host'], intval($cas['cas_port']), $cas['cas_context'], FALSE);
+        phpCAS::logoutWithRedirectService($urlServer);
+    }
+}
+
+redirect_to_home_page();
diff --git a/modules/auth/transition/auth_transition.php b/modules/auth/transition/auth_transition.php
index e744b42a54..4ab643c63c 100644
--- a/modules/auth/transition/auth_transition.php
+++ b/modules/auth/transition/auth_transition.php
@@ -7,8 +7,8 @@
  */
 
 // ------------ feel free to change it ----------
-define ('INTRO_SSO_MESSAGE', 'Η διαδικασία μετάβασης των λογαριασμών των χρηστών έχει ξεκινήσει! 
-                            Κάντε κλικ στο `Μετάβαση`. Θα μεταφερθείτε στην κεντρική σελίδα Πιστοποίησης Λογαριασμού 
+define ('INTRO_SSO_MESSAGE', 'Η διαδικασία μετάβασης των λογαριασμών των χρηστών έχει ξεκινήσει!
+                            Κάντε κλικ στο `Μετάβαση`. Θα μεταφερθείτε στην κεντρική σελίδα Πιστοποίησης Λογαριασμού
                             όπου θα δώσετε τα στοιχεία σας έτσι ώστε ο λογαριασμός σας στην πλατφόρμα να ενημερωθεί.');
 // ----------------------------------------------
 $require_login = true;
@@ -18,25 +18,25 @@
 $pageName = "Μετάβαση";
 
 if (!get_config('sso_transition')) {
-    redirect("{$urlServer}index.php?logout=yes");
+    redirect("{$urlAppend}modules/auth/logout.php");
 }
 
 $_SESSION['SSO_USER_TRANSITION'] = true;
 
 $tool_content .= action_bar(array(
     array('title' => $langBack,
-        'url' => "{$urlAppend}index.php?logout=yes",
+        'url' => "{$urlAppend}modules/auth/logout.php",
         'icon' => 'fa-reply',
         'level' => 'primary-label')
 ),false);
 
 $auth_transition = new Transition($uid);
 if ($auth_transition->get_sso_exception_status() == SSO_TRANSITION_EXCEPTION_BLOCKED) {
-    $tool_content .= "<div class='alert alert-danger'>Η πρόσβαση στην πλατφόρμα έχει αποκλειστεί. 
+    $tool_content .= "<div class='alert alert-danger'>Η πρόσβαση στην πλατφόρμα έχει αποκλειστεί.
                     Μπορείτε να επικοινωνήσετε με τους διαχειριστές της πλατφόρμας στο <strong>" . get_config('email_helpdesk') . "</strong>.</div>";
 } else if ($auth_transition->get_sso_exception_status() == SSO_TRANSITION_EXCEPTION_PENDING) { // sso exception pending
-    $tool_content .= "<div class='alert alert-warning'>Έχετε ήδη υποβάλλει αίτημα εξαίρεσης το οποίο ακόμα δεν έχει διεκπεραιωθεί. 
-                       Η πρόσβαση στην πλατφόρμα προσωρινά δεν είναι δυνατή. 
+    $tool_content .= "<div class='alert alert-warning'>Έχετε ήδη υποβάλλει αίτημα εξαίρεσης το οποίο ακόμα δεν έχει διεκπεραιωθεί.
+                       Η πρόσβαση στην πλατφόρμα προσωρινά δεν είναι δυνατή.
                        Μπορείτε να επικοινωνήσετε με τους διαχειριστές της πλατφόρμας στο <strong>" . get_config('email_helpdesk') . "</strong>.</div>";
 } else if (isset($_GET['exception'])) {
     $auth_transition->add_sso_exception($_POST['comments']);
@@ -80,7 +80,7 @@ function display_sso_exception_form($uid) {
                     <div class='col-sm-10'>
                         <input class='form-control' type='text' name='$langName' value='" . q($firstname) . "' disabled  />
                     </div>
-                </div>                          
+                </div>
                 <div class='form-group'>
                     <label for='$langComments' class='col-sm-2 control-label'>$langComments:</label>
                     <div class='col-sm-10'>
@@ -104,4 +104,4 @@ function display_sso_exception_form($uid) {
                 </fieldset>
             </form>
         </div>";
-}
\ No newline at end of file
+}