authtoken security

[Dgc2002]

The current authtoken is the result of a convoluted and ineffective process seen here.

What's even worse is decrypt_authtoken which is used in check_auth.php. decrypt_authtoken simply takes the auth token and returns the string found following the last colon and returns it. check_auth treats that result as the username, which it is. Issue being there's no verification, it effectively treats this as a session management token which it isn't. Simply take the result of

bin2hex("admin");

and use it as the last section of your auth token and you're the admin user.

My suggestion is to nuke everything dealing with authtoken and rely on PHP sessions. Here are some relevant links:
http://php.net/manual/en/book.session.php
http://php.net/manual/en/session.security.php
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Authentication_and_Session_Management_Cheat_Sheet

When I rewrote the PHP app for a CDC a while back and ended up just writing a session management system. It did the following:

• took care of session creation
• Regenerated session id every minute or so(a little anal for the real world... but it's a CDC)
• Killed a session if the current remote IP was different from the login IP
• Was the first file included on login-only pages and would redirect you if any checks failed
• And other things that I forget

[majiru]

This is fantastic advice, thanks. I am working on getting something like this going for the dev branch.

[majiru]

Basic set up is working on the login, index, and files pages. Just some basic checks and implementation, I still need to secure the use of it but it functions as intended for now.