diff --git a/controllers/login.go b/controllers/login.go index 638061b..643eb41 100644 --- a/controllers/login.go +++ b/controllers/login.go @@ -135,13 +135,13 @@ func (p *LoginPage) POST(engine *templating.Engine, app core.App) HandleFunc { return Unauthorized(engine, e, fmt.Errorf("Ihr Benutzerkonto ist deaktiviert. Bitte kontaktieren Sie den Administrator."), data) } - duration := time.Minute * 60 + duration := time.Hour * 2 if formdata.Persistent == "on" { duration = time.Hour * 24 * 90 } token, err := dbmodels.CreateSessionToken(app, record.Id, e.RealIP(), e.Request.UserAgent(), formdata.Persistent == "on", duration) - if err != nil { + if err != nil || token == nil || token.SessionTokenClear == "" { return engine.Response500(e, err, data) } @@ -150,7 +150,7 @@ func (p *LoginPage) POST(engine *templating.Engine, app core.App) HandleFunc { Name: dbmodels.SESSION_COOKIE_NAME, Path: "/", MaxAge: int(duration.Seconds()), - Value: token.Token(), + Value: token.SessionTokenClear, SameSite: http.SameSiteLaxMode, HttpOnly: true, Secure: true, @@ -159,7 +159,7 @@ func (p *LoginPage) POST(engine *templating.Engine, app core.App) HandleFunc { e.SetCookie(&http.Cookie{ Name: dbmodels.SESSION_COOKIE_NAME, Path: "/", - Value: token.Token(), + Value: token.SessionTokenClear, SameSite: http.SameSiteLaxMode, HttpOnly: true, Secure: true, diff --git a/dbmodels/session_generation.go b/dbmodels/session_generation.go index e245ade..f6bd30a 100644 --- a/dbmodels/session_generation.go +++ b/dbmodels/session_generation.go @@ -2,7 +2,9 @@ package dbmodels import ( "crypto/rand" + "crypto/sha256" "encoding/base64" + "encoding/hex" "fmt" "time" @@ -14,6 +16,13 @@ const ( secureTokenByteLength = 64 ) +func HashStringSHA256(data string) string { + hasher := sha256.New() + hasher.Write([]byte(data)) + hashedBytes := hasher.Sum(nil) + return hex.EncodeToString(hashedBytes) +} + func generateSecureRandomToken(length int) (string, error) { if length <= 0 { length = secureTokenByteLength @@ -55,7 +64,8 @@ func CreateSessionToken( session := NewSession(record) // Set required fields with hashed tokens - session.SetToken(sessionTokenClear) + session.SessionTokenClear = sessionTokenClear + session.SetToken(HashStringSHA256(sessionTokenClear)) session.SetCSRF(csrfTokenClear) session.SetUser(userID) @@ -67,7 +77,7 @@ func CreateSessionToken( session.SetLastAccess(types.NowDateTime()) session.SetUserAgent(userAgent) session.SetIP(ipAddress) - session.SetStatus(TOKEN_STATUS_VALUES[0]) // Active + session.SetStatus(TOKEN_STATUS_VALUES[0]) if errSave := app.Save(session); errSave != nil { app.Logger().Error("Failed to save session token record", "error", errSave, "userID", userID) diff --git a/dbmodels/sessions.go b/dbmodels/sessions.go index 0ef748b..cc97514 100644 --- a/dbmodels/sessions.go +++ b/dbmodels/sessions.go @@ -26,6 +26,7 @@ func (s *FixedSession) IsExpired() bool { var _ core.RecordProxy = (*Place)(nil) type Session struct { + SessionTokenClear string `json:"-"` core.BaseRecordProxy } diff --git a/middleware/authenticated.go b/middleware/authenticated.go index 87d366a..821015a 100644 --- a/middleware/authenticated.go +++ b/middleware/authenticated.go @@ -32,7 +32,8 @@ func Authenticated(app core.App) func(*core.RequestEvent) error { user, session, loaded := SESSION_CACHE.Get(cookie.Value) if !loaded { - record, err := app.FindFirstRecordByData(dbmodels.SESSIONS_TABLE, dbmodels.SESSIONS_TOKEN_FIELD, cookie.Value) + hashedsession := dbmodels.HashStringSHA256(cookie.Value) + record, err := app.FindFirstRecordByData(dbmodels.SESSIONS_TABLE, dbmodels.SESSIONS_TOKEN_FIELD, hashedsession) if err != nil { e.SetCookie(deact_cookie) e.Response.Header().Set("Clear-Site-Data", "\"cookies\"")