Improve the security of the backend session

filebrowser.php

@@ -31,7 +31,8 @@
 
 if( empty($_SESSION["wcs_user_lang"]) ) {
 
-    session_destroy();
+    $_SESSION = array();
+    @session_destroy();
     headerRedirect(PHPWCMS_URL, 401);
 
 } else {

fileinfo.php

@@ -16,7 +16,8 @@
 require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php';
 
 if(empty($_SESSION["wcs_user_lang"])) {
-    session_destroy();
+    $_SESSION = array();
+    @session_destroy();
     headerRedirect($phpwcms['site'].$phpwcms["root"]);
 } else {
     require 'include/inc_lang/backend/en/lang.ext.inc.php';

include/inc_act/act_download.php

@@ -87,7 +87,8 @@
 
 if($err):
 
-    session_destroy();
+    $_SESSION = array();
+    @session_destroy();
 
 ?><html>
 <head>

include/inc_lib/checklogin.inc.php

@@ -11,51 +11,48 @@
 
 // obligate check for phpwcms constants
 if (!defined('PHPWCMS_ROOT')) {
-	die("You Cannot Access This Script Directly, Have a Nice Day.");
+    die("You Cannot Access This Script Directly, Have a Nice Day.");
 }
 
 // Updating user list relative to login time or delay login
 // --------------------------------------------------------
 
-$sql  = "UPDATE ".DB_PREPEND."phpwcms_userlog SET ";
-$sql .= "logged_in=0, logged_change='".time()."' ";
-$sql .= "WHERE logged_in=1 AND (".time()."-logged_change) > ".intval($phpwcms["max_time"]);
+$sql  = 'UPDATE ' . DB_PREPEND . 'phpwcms_userlog SET ';
+$sql .= 'logged_in=0, logged_change=' . time() . ' WHERE ';
+$sql .= 'logged_in=1 AND (' . time() . '-logged_change) > ' . intval($phpwcms['max_time']);
 _dbQuery($sql, 'UPDATE');
 
-if(!empty($_SESSION["wcs_user"])) {
-
-	$sql  = "SELECT COUNT(*) FROM ".DB_PREPEND."phpwcms_userlog ";
-	$sql .= "WHERE logged_user="._dbEscape($_SESSION["wcs_user"])." AND ";
-	$sql .= "logged_in=1";
-
-	if(!PHPWCMS_GDPR_MODE && !empty($phpwcms['Login_IPcheck'])) {
-		$sql .= " AND logged_ip="._dbEscape(getRemoteIP());
-	}
-
-	if(!($check = _dbQuery($sql, 'COUNT'))) {
-
-        unset($_SESSION["wcs_user"]);
-
-	} else {
-
-    	$sql  = "UPDATE ".DB_PREPEND."phpwcms_userlog SET ";
-		$sql .= "logged_change=".time()." WHERE ";
-		$sql .= "logged_user="._dbEscape($_SESSION["wcs_user"])." AND logged_in=1";
-		_dbQuery($sql, 'UPDATE');
-
-	}
+if (!empty($_SESSION["wcs_user"])) {
+
+    $sql  = 'SELECT COUNT(*) FROM ' . DB_PREPEND . 'phpwcms_userlog ';
+    $sql .= 'WHERE logged_user=' . _dbEscape($_SESSION['wcs_user']) . ' AND ';
+    $sql .= 'logged_in=1';
+
+    if (!PHPWCMS_GDPR_MODE && !empty($phpwcms['Login_IPcheck'])) {
+        $sql .= " AND logged_ip=" . _dbEscape(getRemoteIP());
+    }
+
+    if (!($check = _dbQuery($sql, 'COUNT'))) {
+        $_SESSION['wcs_user'] = '';
+        unset($_SESSION['wcs_user']);
+    } else {
+        $sql = 'UPDATE ' . DB_PREPEND . 'phpwcms_userlog SET ';
+        $sql .= 'logged_change=' . time() . ' WHERE ';
+        $sql .= 'logged_user=' . _dbEscape($_SESSION['wcs_user']) . ' AND logged_in=1';
+        _dbQuery($sql, 'UPDATE');
+    }
 }
 
-if(empty($_SESSION["wcs_user"])) {
+if (empty($_SESSION["wcs_user"])) {
 
-	@session_destroy();
+    $_SESSION = array();
+    @session_destroy();
 
-	if(!empty($_SERVER['QUERY_STRING'])) {
-		$ref_url = '?ref='.rawurlencode(PHPWCMS_URL.'phpwcms.php?'.xss_clean($_SERVER['QUERY_STRING']));
-	} else {
-    	$ref_url = '';
-	}
+    if (!empty($_SERVER['QUERY_STRING'])) {
+        $ref_url = '?ref=' . rawurlencode(PHPWCMS_URL . 'phpwcms.php?' . xss_clean($_SERVER['QUERY_STRING']));
+    } else {
+        $ref_url = '';
+    }
 
-	headerRedirect(PHPWCMS_URL.get_login_file().$ref_url, 401);
-
-}
+    headerRedirect(PHPWCMS_URL . get_login_file() . $ref_url, 401);
+}

include/inc_lib/default.inc.php

@@ -968,7 +968,7 @@ function _initSession() {
         session_start();
     }
     if (empty($_SESSION['phpwcmsSessionInit']) && function_exists("session_regenerate_id")) {
-        session_regenerate_id();
+        session_regenerate_id(true);
         $_SESSION['phpwcmsSessionInit'] = true;
     }
 
@@ -1212,7 +1212,7 @@ function phpwcms_getUserAgent($USER_AGENT = '') {
         }
     }
 
-    return $GLOBALS['phpwcms'][$index] = array(
+    $GLOBALS['phpwcms'][$index] = array(
         'agent' => $agent,
         'version' => intval($ver),
         'platform' => $platform,
@@ -1222,7 +1222,12 @@ function phpwcms_getUserAgent($USER_AGENT = '') {
         'engine' => $engine,
         'pixelratio' => $pixelratio,
         'webp' => $webp,
+        'lang' => isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : $GLOBALS['phpwcms']["default_lang"]
     );
+
+    $GLOBALS['phpwcms'][$index]['hash'] = md5(implode('', $GLOBALS['phpwcms'][$index]) . getRemoteIP());
+
+    return $GLOBALS['phpwcms'][$index];
 }
 
 /**
@@ -1286,7 +1291,7 @@ function checkLoginCount() {
     $check = 0;
     if (!empty($_SESSION["wcs_user"])) {
         $sql = "SELECT COUNT(*) FROM " . DB_PREPEND . "phpwcms_userlog WHERE logged_user=" . _dbEscape($_SESSION["wcs_user"]) . " AND logged_in=1";
-        if (!empty($phpwcms['Login_IPcheck'])) {
+        if (!PHPWCMS_GDPR_MODE && !empty($phpwcms['Login_IPcheck'])) {
             $sql .= " AND logged_ip=" . _dbEscape(getRemoteIP());
         }
         $check = _dbCount($sql);

include/inc_lib/general.inc.php

@@ -2014,14 +2014,15 @@ function checkLogin($mode = 'REDIRECT') {
     $sql .= "WHERE logged_in=1 AND (" . time() . "-logged_change) > " . intval($GLOBALS['phpwcms']["max_time"]);
     _dbQuery($sql, 'UPDATE');
     checkLoginCount();
-    if (empty($_SESSION["wcs_user"])) {
+    if (empty($_SESSION['wcs_user']) || empty($_SESSION['PHPWCMS_BROWSER_HASH']) || $_SESSION['PHPWCMS_BROWSER_HASH'] !== $GLOBALS['phpwcms']['USER_AGENT']['hash']) {
+        $_SESSION = array();
         @session_destroy();
         if (!empty($_SERVER['QUERY_STRING'])) {
             $ref_url = '?ref=' . rawurlencode(PHPWCMS_URL . 'phpwcms.php?' . xss_clean($_SERVER['QUERY_STRING']));
         } else {
             $ref_url = '';
         }
-        if ($mode == 'REDIRECT') {
+        if ($mode === 'REDIRECT') {
             // check again if user was logged in and this is a valid redirect request
             $sql = 'SELECT COUNT(*)  FROM ' . DB_PREPEND . 'phpwcms_userlog WHERE ';
             $sql .= "logged_ip=" . _dbEscape(PHPWCMS_GDPR_MODE ? getAnonymizedIp() : getRemoteIP()) . " AND ";

login.php

@@ -243,6 +243,8 @@
 
         }
 
+        $_SESSION['PHPWCMS_BROWSER_HASH'] = $phpwcms['USER_AGENT']['hash'];
+
         headerRedirect($backend_redirect . get_token_get_string() . '&' . session_name().'='.session_id());
 
     } else {