ripped out all the memcache session stuff, not worth it with the side effects of caching things

cleaned up config/checks

Author: xisi

public/include/admin_checks.php

@@ -78,8 +78,8 @@
   if (mysqli_connect_errno() || !array_key_exists('client_info', $db_connect)) {
     $error[] = "Unable to connect to mysql using provided credentials";
   }
-  if (($config['strict'] || $config['mc_antidos']) && !$config['memcache']['enabled']) {
-    $error[] = "strict or mc_antidos are enabled and memcache is not, <u>memcache is required</u> to use these.";
+  if ($config['mc_antidos'] && !$config['memcache']['enabled']) {
+    $error[] = "mc_antidos is enabled and memcache is not, <u>memcache is required</u> to use this";
   }
   // poke stratum using gettingstarted details -> enotice
   if (substr_count(strtolower(PHP_OS), 'nix') > 0) {
@@ -102,10 +102,6 @@
   }
 
   // security checks
-  // strict not on -> notice
-  if (!$config['strict']) {
-    $notice[] = "Strict is <u>disabled</u> - if you have memcache, you should turn this on.";
-  }
   // salts too short -> notice, salts default -> error
   if ((strlen($config['SALT']) < 24) || (strlen($config['SALTY']) < 24) || $config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
     if ($config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {

public/include/autoloader.inc.php

@@ -12,7 +12,7 @@
 // Default classes
 require_once(CLASS_DIR . '/debug.class.php');
 require_once(INCLUDE_DIR . '/lib/KLogger.php');
-if ($config['strict']) {
+if ($config['mysql_filter']) {
   require_once(CLASS_DIR . '/strict.class.php');
 }
 require_once(INCLUDE_DIR . '/database.inc.php');

public/include/classes/memcache_ad.class.php

@@ -7,116 +7,79 @@ class MemcacheAntiDos
   public $rate_limit_this_request = false;
   public $rate_limit_api_request = false;
   public $rate_limit_site_request = false;
-  public function __construct($config, &$memcache, $userORip, $request='', $mcSettings) {
+  public function __construct($config, &$memcache, $request='') {
     $this->cache = $memcache;
     // set our config options
-    $per_page = '';
-    $flush_sec_api = $config['flush_seconds_api'];
-    $rate_limit_api = $config['rate_limit_api'];
-    $flush_sec_site = $config['flush_seconds_site'];
-    $rate_limit_site = $config['rate_limit_site'];
-    $ajax_add = $config['ajax_hits_additive'];
-    unset($config);
+    $userORip = $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'];
     // prep stuff we need to check this request
-    $key_md5 = md5($mcSettings['keyprefix'].$userORip);
+    $key_md5 = $config['memcache']['keyprefix'].md5($userORip);
     $request_data = $this->cache->get($key_md5);
     $now = time();
-    $max_req_flush = max(array($flush_sec_api,$flush_sec_site));
+    $max_req_flush = max(array($config['mc_antidos']['flush_seconds_api'],$config['mc_antidos']['flush_seconds_site']));
     // check the request
     if (is_array($request_data)) {
       // this request key already exists, update it
       $request_data['la'] = $now;
       if ($request == 'api') {
         $request_data['ha'] += 1;
-        if ($ajax_add) {
+        if ($config['mc_antidos']['ajax_hits_additive']) {
           $request_data['hn'] += 1;
         }
       } else {
         $request_data['hn'] += 1;
       }
       // not rate limited yet, update the rest of the object
-      if (($request_data['hn'] < $rate_limit_site) && ($request_data['ha'] < $rate_limit_api)) {
-        
-        if (((($request_data['hnl'] + $flush_sec_site) <= $now) || ($request_data['hal'] + $flush_sec_api) <= $now) || (($request_data['la'] + $max_req_flush) <= $now)) {
+      if (($request_data['hn'] < $config['mc_antidos']['rate_limit_site']) && ($request_data['ha'] < $config['mc_antidos']['rate_limit_api'])) {
+        if (((($request_data['hnl'] + $config['mc_antidos']['flush_seconds_site']) <= $now) || ($request_data['hal'] + $config['mc_antidos']['flush_seconds_api']) <= $now) || (($request_data['la'] + $max_req_flush) <= $now)) {
           // needs to be flushed & updated
           $new = $this->getRequestBase();
           $new['key'] = $key_md5;
-          $new['sid'] = session_id();
-          $new['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
-          $new['ip'] = $key_md5;
           $new['la'] = $now;
-          $new['hal'] = ((($request_data['hal'] + $flush_sec_api) <= $now)) ? $now : 1;
-          $new['hnl'] = ((($request_data['hnl'] + $flush_sec_site) <= $now)) ? $now : 1;
-          $this->cache->set($key_md5, $new, $max_req_flush);
-          $this->rate_limit_api_request = ($request_data['ha'] >= $rate_limit_api) ? true : false;
-          $this->rate_limit_site_request = ($request_data['hn'] >= $rate_limit_site) ? true : false;
-          //$this->rate_limit_this_request = false;
+          $new['hal'] = ((($request_data['hal'] + $config['mc_antidos']['flush_seconds_api']) <= $now)) ? $now : 1;
+          $new['hnl'] = ((($request_data['hnl'] + $config['mc_antidos']['flush_seconds_site']) <= $now)) ? $now : 1;
+          $this->cache->set($key_md5, $new, $config['memcache']['expiration']);
+          $this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
+          $this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
         } else {
           // no flush, just update
           $new = $this->getRequestBase();
-          $new['key'] = $key_md5;
-          $new['sid'] = session_id();
-          $new['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
-          $new['ip'] = $key_md5;
+          $new['key'] = $request_data['key'];
           $new['la'] = time();
           $new['ha'] = $request_data['ha'];
           $new['hal'] = $request_data['hal'];
           $new['hn'] = $request_data['hn'];
           $new['hnl'] = $request_data['hnl'];
-          $this->cache->set($key_md5, $new, $max_req_flush);
-          //$this->rate_limit_this_request = false;
-          $this->rate_limit_api_request = ($request_data['ha'] >= $rate_limit_api) ? true : false;
-          $this->rate_limit_site_request = ($request_data['hn'] >= $rate_limit_site) ? true : false;
+          $this->cache->set($key_md5, $new, $config['memcache']['expiration']);
+          $this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
+          $this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
         }
       } else {
         // too many hits, we should rate limit this
-        //$this->rate_limit_this_request = true;
-        $this->rate_limit_api_request = ($request_data['ha'] >= $rate_limit_api) ? true : false;
-        $this->rate_limit_site_request = ($request_data['hn'] >= $rate_limit_site) ? true : false;
+        $this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
+        $this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
       }
     } else {
       // doesn't exist for this request_key, create one
       $new = $this->getRequestBase();
-      $new['key'] = $key_md5;
-      $new['sid'] = session_id();
-      $new['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
-      $new['ip'] = $key_md5;
+      $new['key'] = $config['memcache']['keyprefix'].md5($userORip);
       $new['la'] = time();
       if ($request == 'api') {
         $new['ha'] += 1;
-        if ($ajax_add) {
+        if ($config['mc_antidos']['ajax_hits_additive']) {
           $new['hn'] += 1;
         }
       } else {
         $new['hn'] += 1;
       }
-      $this->cache->set($key_md5, $new, $max_req_flush);
-      $this->rate_limit_this_request = false;
+      $this->cache->set($key_md5, $new, $config['memcache']['expiration']);
+      $this->rate_limit_api_request = false;
+      $this->rate_limit_site_request = false;
     }
   }
   public function getRequestBase() {
-    $new = array(
-        'key' => '',
-        'sid' => '',
-        'ua' => '',
-        'ip' => '',
-        'la' => 0,
-        'hn' => 0,
-        'hnl' => 0,
-        'ha' => 0,
-        'hal' => 0
-    );
+    $new = array('key' => '','la' => 0,'hn' => 0,'hnl' => 0,'ha' => 0,'hal' => 0);
     return $new;
   }
-  public function rateLimitRequest() {
-    return $this->rate_limit_this_request;
-  }
-  public function rateLimitSite() {
-    return $this->rate_limit_site_request;
-  }
-  public function rateLimitAPI() {
-    return $this->rate_limit_api_request;
-  }
 }
 
 ?>

public/include/classes/strict.class.php

@@ -1,143 +1,6 @@
 <?php 
 $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-class strict_session {
-  private $memcache = null;
-  private $validate_client = false;
-  private $validate_client_ip = false;
-  private $validate_client_ua = false;
-  private $validate_client_sid = false;
-  private $validate_client_num = 0;
-  private $valid_server = '';
-  private $memcache_key = '';
-  public function valid_session_id($id) {
-    return preg_match('#^[a-zA-Z0-9]{26}$#', $id);
-  }
-  public function session_delete_key($key) {
-    $read = $this->memcache->delete($key);
-  }
-  private $validation_misses = 0;
-  private $initial_ua;
-  public function create_or_update_client($client, $force=false, $login=false) {
-    $read = $this->memcache->get($client['key']);
-    // this needs to be available later
-    $update = array('key' => '','sid' => '','ua' => '','ip' => '','la' => 0,'hn' => 0,'hnl' => 0,'ha' => 0,'hal' => 0);
-    $update['sid'] = $client['sid'];
-    $update['ua'] = md5($this->initial_ua);
-    $update['ip'] = $client['ip'];
-    $update['la'] = time();
-    $update['key'] = md5($this->memcache_key.$client['ip']);
-    $validation_misses = 0;
-    if ($read !== false) {
-      $read_model = array('key' => '','sid' => '','ua' => '','ip' => '','la' => 0,'hn' => 0,'hnl' => 0,'ha' => 0,'hal' => 0);
-      $read_model['sid'] = @$read['sid'];
-      $read_model['ip'] = @$read['ip'];
-      $read_model['ua'] = @$read['ua'];
-      $read_model['la'] = @$read['la'];
-      $read_model['key'] = md5($this->memcache_key.$read['ip']);
-      // key already exists, update
-      if ($this->validate_client) {
-        if ($this->verify_client($read_model, $update, $login)) {
-          $update_client = $this->memcache->set($update['key'], $update);
-        }
-      }
-    } else {
-      $update_client = $this->memcache->set($client['key'], $client);
-      if ($force && $login) {
-        $update_client = $this->memcache->set($update['key'], $update);
-      }
-    }
-  }
-  public function verify_client($client_model, $data, $login=false) {
-    $fails = 0;
-    $fails += ((count($client_model)) !== (count($data)) && $this->validate_client) ? 1 : 0;
-    $fails += ($client_model['ua'] !== $data['ua'] && $this->validate_client && $this->validate_client_ua) ? 1 : 0;
-    $fails += ($client_model['ip'] !== $data['ip'] && $this->validate_client && $this->validate_client_ip) ? 1 : 0;
-    $now = time();
-    $this->validation_misses = $fails;
-    if ($fails > $this->validate_client_num && $login == false && $this->validate_client) {
-      // something changed
-      $port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
-      $location = (@$_SERVER['HTTPS'] == "on") ? 'https://' : 'http://';
-      $location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'];
-      $this->session_delete_key($client_model['key']);
-      $this->session_delete_key($data['key']);
-      @session_start();
-      @session_regenerate_id(true);
-      $_SESSION = null;
-      $_SESSION['POPUP'][] = array('CONTENT' => "Session revoked due to a change in your client. You may have a plugin messing with your useragent, or your IP address may have changed.", 'TYPE' => 'warning');
-      $location.= '?page=login';
-      if (!headers_sent()) exit(header('Location: ' . $location));
-      exit('<meta http-equiv="refresh" content="0; url=' . htmlspecialchars($location) . '"/>');
-    }
-    return ($fails > 0) ? false : true;
-  }
-  public function read_if_client_exists($client_key) {
-    if ($this->memcache !== null) {
-      $exists = $this->memcache->get($client_key);
-    }
-    return ($exists !== null) ? $exists : false;
-  }
-  public function regen_session_id() {
-    $sidbefore = @session_id();
-    @session_regenerate_id(true);
-    $sid = session_id();
-    return $sid;
-  }
-  public function __construct($config, &$memcache) {
-    $this->initial_ua = $_SERVER['HTTP_USER_AGENT'];
-    $this->memcache = $memcache;
-    $this->memcache_key = $config['memcache']['keyprefix'];
-    if ($config['strict__verify_client']) {
-      $this->validate_client = true;
-      $this->validate_client_ip = $config['strict__verify_client_ip'];
-      $this->validate_client_ua = $config['strict__verify_client_useragent'];
-      $this->validate_client_sid = $config['strict__verify_client_sessionid'];
-      $this->validate_client_num = 0;
-      if ($config['strict__verify_server']) {
-        $proto = (@$_SERVER['HTTPS'] == "on") ? 'https' : 'http';
-        $location = $proto."://".$_SERVER['SERVER_NAME'] . $_SERVER['SERVER_PORT'];
-        if ($config['strict__verify_server']) {
-          if ($config['strict__bind_protocol']."://".$config['strict__bind_host'].$config['strict__bind_port'] !== $location) {
-            return false;
-          }
-        }
-      }
-      $client = array('key' => '','sid' => '','ua' => '','ip' => '','la' => 0,'hn' => 0,'hnl' => 0,'ha' => 0,'hal' => 0);
-      $client['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
-      $client['ip'] = md5($_SERVER['REMOTE_ADDR']);
-      $client['la'] = time();
-      $client['key'] = md5($this->memcache_key.$client['ip']);
-      $read = $this->read_if_client_exists($client['key']);
-    }
-    session_set_cookie_params((time()+$config['cookie']['duration']), $config['cookie']['path'], $config['cookie']['domain'], false, true);
-    $session_start = @session_start();
-    $client['sid'] = session_id();
-    $valid_session_id = $this->valid_session_id($client['sid']);
-    if (!$valid_session_id || !$session_start) {
-      @session_destroy();
-      $client['sid'] = $this->regen_session_id();
-      session_start();
-    }
-    if ($read !== null) {
-      // client exists, verify
-      $this->create_or_update_client($client, true, false);
-      
-    } else {
-      // doesn't exist
-      $this->create_or_update_client($client, true, true);
-    }
-    @setcookie(session_name(), $client['sid'], (time()+$config['cookie']['duration']), $config['cookie']['path'], $config['cookie']['domain'], false, true);
-    // post changes validate
-    if ($this->validate_client) {
-      $read_post = $this->read_if_client_exists($client['key']);
-      if ($read_post !== null) {
-        $this->verify_client($client, $read_post, true);
-      }
-    }
-  }
-}
-
 class mysqli_strict extends mysqli {
   public function bind_param($paramTypes) {
     if (!is_string($paramTypes)) {

public/include/classes/user.class.php

@@ -503,17 +503,10 @@ private function createSession($username, $lastIP='', $lastLoginTime='') {
     if (!empty($lastIP) && (!empty($lastLoginTime))) {
       $_SESSION['last_ip_pop'] = array($lastIP, $lastLoginTime);
     }
-    if ($this->config['strict'] && $this->config['memcache']['enabled']) {
-      session_regenerate_id(true);
-      $_SESSION['AUTHENTICATED'] = '1';
-      // $this->user from checkUserPassword
-      $_SESSION['USERDATA'] = $this->user;
-    } else {
-      session_regenerate_id(true);
-      $_SESSION['AUTHENTICATED'] = '1';
-      // $this->user from checkUserPassword
-      $_SESSION['USERDATA'] = $this->user;
-    }
+    session_regenerate_id(true);
+    $_SESSION['AUTHENTICATED'] = '1';
+    // $this->user from checkUserPassword
+    $_SESSION['USERDATA'] = $this->user;
   }
 
   /**
@@ -814,17 +807,10 @@ public function initResetPassword($username) {
    **/
 public function isAuthenticated($logout=true) {
     $this->debug->append("STA " . __METHOD__, 4);
-    if (!$this->config['strict']) {
-      if (@$_SESSION['AUTHENTICATED'] == true &&
-      !$this->isLocked($_SESSION['USERDATA']['id']) &&
-      $this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
-      ) return true;
-    } else {
-      if (@$_SESSION['AUTHENTICATED'] && $_SESSION['AUTHENTICATED'] == '1' &&
-      (!$this->isLocked($_SESSION['USERDATA']['id'])) &&
-      ($this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']))
-        return true;
-    }
+    if (@$_SESSION['AUTHENTICATED'] == true &&
+    !$this->isLocked($_SESSION['USERDATA']['id']) &&
+    $this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
+    ) return true;
     // Catchall
     if ($logout == true) $this->logoutUser($_SERVER['REQUEST_URI']);
     return false;

public/include/config/security.inc.dist.php

@@ -2,22 +2,12 @@
 $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
- * Strict Mode
- *  Extra security options that can help protect against a few different types of attacks
- *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-strict-mode
+ * Misc
+ *  Extra security settings
+ *   
  **/
-$config['strict'] = true;
-$config['strict__https_only'] = false;
-$config['strict__mysql_filter'] = true;
-$config['strict__verify_client'] = true;
-$config['strict__verify_client_ip'] = true;
-$config['strict__verify_client_useragent'] = true;
-$config['strict__verify_client_sessionid'] = true;
-$config['strict__verify_client_fails'] = 0;
-$config['strict__verify_server'] = false;
-$config['strict__bind_protocol'] = 'https';
-$config['strict__bind_host'] = '';
-$config['strict__bind_port'] = 443;
+$config['https_only'] = false;
+$config['mysql_filter'] = true;
 
 /**
  * Memcache Rate Limiting

public/include/database.inc.php

@@ -2,7 +2,7 @@
 $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Instantiate class, we are using mysqlng
-if ($config['strict'] && $config['strict__mysql_filter']) {
+if ($config['mysql_filter']) {
   $mysqli = new mysqli_strict($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
 } else {
   $mysqli = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);