Disallow current time as a session key (fix: #19, CVE-2020-11728)

We never set a cookie with the (md5 of the) current time as session key, so there's no need to allow logging in with this brute-force guessable value.

Disallow current time as a session key (fix: #19, CVE-2020-11728)
c2e808cc · Florian Schlichting · 535505c9 · c2e808cc
Commit c2e808cc authored 4 years ago by Florian Schlichting
--- a/inc/Session.php
+++ b/inc/Session.php
@@ -173,9 +173,9 @@ class Session
    else {
      $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
    }
-    $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
+    $sql .= " WHERE session.session_id = ? AND session.session_key = ? ORDER BY session.session_start DESC LIMIT 2";

-    $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
+    $qry = new AwlQuery($sql, $session_id, $session_key);
    if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
      $this->AssignSessionDetails( $qry->Fetch() );
      $qry = new AwlQuery('UPDATE session SET session_end = current_timestamp WHERE session_id=?', $session_id);
@@ -384,9 +384,9 @@ class Session
            else {
              $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
            }
-            $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
+            $sql .= " WHERE session.session_id = ? AND session.session_key = ? ORDER BY session.session_start DESC LIMIT 2";

-            $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
+            $qry = new AwlQuery($sql, $session_id, $session_key);
            if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
              $this->AssignSessionDetails( $qry->Fetch() );
            }