#31 Fix vulnerabilities with the remember cookie
Merged
sindre
merged 4 commits from session-cookie into master 5 years ago
4 changed files with 114 additions and 29 deletions
-
+8 -1mysql/sql/init.sql
-
+73 -0src/app/models/session.py
-
+25 -28src/app/views/login.py
-
+8 -0src/app/views/logout.py
+ 8
- 1
mysql/sql/init.sql
View File
| @@ -14,6 +14,14 @@ CREATE TABLE users ( | |||
| PRIMARY KEY (userid) | |||
| ); | |||
| CREATE TABLE cookies ( | |||
| token VARCHAR(100) UNIQUE NOT NULL, | |||
| userid INT UNSIGNED NOT NULL, | |||
| expiry INT NOT NULL, | |||
| PRIMARY KEY (token), | |||
| FOREIGN KEY (userid) REFERENCES users(userid) | |||
| ); | |||
| CREATE TABLE project_category ( | |||
| categoryid INT UNSIGNED AUTO_INCREMENT, | |||
| category_name VARCHAR(200) UNIQUE NOT NULL, | |||
| @@ -89,4 +97,3 @@ Create default database user | |||
| CREATE USER 'root'@'10.5.0.6' IDENTIFIED BY 'root'; | |||
| GRANT ALL PRIVILEGES ON db.* TO 'root'@'10.5.0.6'; | |||
+ 73
- 0
src/app/models/session.py
View File
| @@ -0,0 +1,73 @@ | |||
| from models.database import db | |||
| import mysql.connector | |||
| def set_cookie(userid, token, expiry): | |||
| """ | |||
| Register a persistant login token for an user | |||
| :param userid: The ID of the user | |||
| :param token: A random unique token for the cookie | |||
| """ | |||
| db.connect() | |||
| cursor = db.cursor() | |||
| query = ("INSERT INTO cookies (userid, token, expiry) VALUES (%s, %s, %s)") | |||
| try: | |||
| cursor.execute(query, (userid, token, expiry)) | |||
| db.commit() | |||
| except mysql.connector.Error as err: | |||
| print("Failed executing query: {}".format(err)) | |||
| cursor.fetchall() | |||
| exit(1) | |||
| finally: | |||
| cursor.close() | |||
| db.close() | |||
| def get_cookie(token): | |||
| """ | |||
| Get the userid of the user with the given persistant login token | |||
| :param token: The token to search for | |||
| """ | |||
| db.connect() | |||
| cursor = db.cursor() | |||
| query = ("SELECT userid, expiry FROM cookies WHERE token = %s") | |||
| userid = None | |||
| expiry = None | |||
| try: | |||
| cursor.execute(query, (token,)) | |||
| users = cursor.fetchall() | |||
| if len(users): | |||
| userid = users[0][0] | |||
| expiry = users[0][1] | |||
| except mysql.connector.Error as err: | |||
| print("Failed executing query: {}".format(err)) | |||
| cursor.fetchall() | |||
| exit(1) | |||
| finally: | |||
| cursor.close() | |||
| db.close() | |||
| return userid, expiry | |||
| def delete_cookie(token): | |||
| """ | |||
| Get the userid of the user with the given persistant login token | |||
| :param token: The token to delete | |||
| """ | |||
| db.connect() | |||
| cursor = db.cursor() | |||
| query = ("DELETE FROM cookies WHERE token = %s") | |||
| try: | |||
| cursor.execute(query, (token,)) | |||
| db.commit() | |||
| except mysql.connector.Error as err: | |||
| print("Failed executing query: {}".format(err)) | |||
| cursor.fetchall() | |||
| exit(1) | |||
| finally: | |||
| cursor.close() | |||
| db.close() | |||
+ 25
- 28
src/app/views/login.py
View File
| @@ -1,13 +1,19 @@ | |||
| import web | |||
| from views.forms import login_form | |||
| import models.session | |||
| import models.user | |||
| from views.utils import get_nav_bar | |||
| import os, hmac, base64, pickle | |||
| import random | |||
| import string | |||
| import hashlib | |||
| import time | |||
| # Get html templates | |||
| render = web.template.render('templates/') | |||
| # The remember cookie should be valid for a week | |||
| remember_timeout = 3600*24*7 | |||
| class Login(): | |||
| @@ -56,51 +62,42 @@ class Login(): | |||
| session.username = username | |||
| session.userid = userid | |||
| if remember: | |||
| rememberme = self.rememberme() | |||
| web.setcookie('remember', rememberme , 300000000) | |||
| rememberme = self.rememberme(remember_timeout) | |||
| path = web.ctx.homepath + "/" | |||
| web.ctx.headers.append(('Set-Cookie', f'remember={rememberme}; Max-Age={remember_timeout}; Path={path}; Secure; HttpOnly; SameSite=Strict')) | |||
| def check_rememberme(self): | |||
| """ | |||
| Validate the rememberme cookie and log in | |||
| """ | |||
| username = "" | |||
| sign = "" | |||
| userid = None | |||
| # If the user selected 'remember me' they log in automatically | |||
| try: | |||
| # Fetch the users cookies if it exists | |||
| cookies = web.cookies() | |||
| # Fetch the remember cookie and convert from string to bytes | |||
| remember_hash = bytes(cookies.remember[2:][:-1], 'ascii') | |||
| # Decode the hash | |||
| decode = base64.b64decode(remember_hash) | |||
| # Load the decoded hash to receive the host signature and the username | |||
| username, sign = pickle.loads(decode) | |||
| except AttributeError as e: | |||
| remember_token = cookies.remember | |||
| userid, expiry = models.session.get_cookie(remember_token) | |||
| except AttributeError: | |||
| # The user did not have the stored remember me cookie | |||
| pass | |||
| # If the users signed cookie matches the host signature then log in | |||
| if self.sign_username(username) == sign: | |||
| userid = models.user.get_user_id_by_name(username) | |||
| if userid is not None and expiry > time.time(): | |||
| username = models.user.get_user_name_by_id(userid) | |||
| self.login(username, userid, False) | |||
| def rememberme(self): | |||
| def rememberme(self, timeout): | |||
| """ | |||
| Encode a base64 object consisting of the username signed with the | |||
| host secret key and the username. Can be reassembled with the | |||
| hosts secret key to validate user. | |||
| :return: base64 object consisting of signed username and username | |||
| Generate a random token for the user, and store it in the database. | |||
| """ | |||
| session = web.ctx.session | |||
| creds = [ session.username, self.sign_username(session.username) ] | |||
| return base64.b64encode(pickle.dumps(creds)) | |||
| alphabet = string.ascii_uppercase + string.digits | |||
| @classmethod | |||
| def sign_username(self, username): | |||
| """ | |||
| Sign the current users name with the hosts secret key | |||
| :return: The users signed name | |||
| """ | |||
| secret = base64.b64decode(self.secret) | |||
| return hmac.HMAC(secret, username.encode('ascii')).hexdigest() | |||
| while True: | |||
| token = ''.join(random.SystemRandom().choice(alphabet) for _ in range(20)) | |||
| if models.session.get_cookie(token)[0] is None: | |||
| break | |||
| models.session.set_cookie(session.userid, token, int(time.time() + timeout)) | |||
| return token | |||
+ 8
- 0
src/app/views/logout.py
View File
| @@ -1,5 +1,6 @@ | |||
| import web | |||
| from views.utils import get_nav_bar | |||
| import models.session | |||
| # Get html templates | |||
| render = web.template.render('templates/') | |||
| @@ -12,6 +13,13 @@ class Logout: | |||
| Log out of the application (kill session and reset variables) | |||
| :return: Redirect to main page | |||
| """ | |||
| try: | |||
| remember_token = web.cookies().remember | |||
| models.session.delete_cookie(remember_token) | |||
| except AttributeError: | |||
| # The user did not have the stored remember me cookie | |||
| pass | |||
| session = web.ctx.session | |||
| session.username = None | |||
| session.userid = None | |||