end
end
- before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization
+ before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
rescue_from ::Unauthorized, :with => :deny_access
rescue_from ::ActionView::MissingTemplate, :with => :missing_template
include Redmine::SudoMode::Controller
def session_expiration
- if session[:user_id]
+ if session[:user_id] && Rails.application.config.redmine_verify_sessions != false
if session_expired? && !try_to_autologin
set_localization(User.active.find_by_id(session[:user_id]))
self.logged_user = nil
flash[:error] = l(:error_session_expired)
require_login
- else
- session[:atime] = Time.now.utc.to_i
end
end
end
def session_expired?
- if Setting.session_lifetime?
- unless session[:ctime] && (Time.now.utc.to_i - session[:ctime].to_i <= Setting.session_lifetime.to_i * 60)
- return true
- end
- end
- if Setting.session_timeout?
- unless session[:atime] && (Time.now.utc.to_i - session[:atime].to_i <= Setting.session_timeout.to_i * 60)
- return true
- end
- end
- false
+ ! User.verify_session_token(session[:user_id], session[:tk])
end
def start_user_session(user)
session[:user_id] = user.id
- session[:ctime] = Time.now.utc.to_i
- session[:atime] = Time.now.utc.to_i
+ session[:tk] = user.generate_session_token
if user.must_change_password?
session[:pwd] = '1'
end
user
end
- def force_logout_if_password_changed
- passwd_changed_on = User.current.passwd_changed_on || Time.at(0)
- # Make sure we force logout only for web browser sessions, not API calls
- # if the password was changed after the session creation.
- if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i
- reset_session
- set_localization
- flash[:error] = l(:error_session_expired)
- redirect_to signin_url
- end
- end
-
def autologin_cookie_name
Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'
end
if User.current.logged?
cookies.delete(autologin_cookie_name)
Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])
+ Token.delete_all(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]])
self.logged_user = nil
end
end
@user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
@user.must_change_passwd = false
if @user.save
- # Reset the session creation time to not log out this session on next
- # request due to ApplicationController#force_logout_if_password_changed
- session[:ctime] = User.current.passwd_changed_on.utc.to_i
+ # The session token was destroyed by the password change, generate a new one
+ session[:tk] = @user.generate_session_token
flash[:notice] = l(:notice_account_password_updated)
redirect_to my_account_path
end
# Delete all expired tokens
def self.destroy_expired
- Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api'], Time.now - validity_time).delete_all
+ Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all
end
# Returns the active user who owns the key for the given action
# Removes obsolete tokens (same user and action)
def delete_previous_tokens
if user
- Token.where(:user_id => user.id, :action => action).delete_all
+ scope = Token.where(:user_id => user.id, :action => action)
+ if action == 'session'
+ ids = scope.order(:updated_on => :desc).offset(9).ids
+ if ids.any?
+ Token.delete(ids)
+ end
+ else
+ scope.delete_all
+ end
end
end
end
api_token.value
end
+ # Generates a new session token and returns its value
+ def generate_session_token
+ token = Token.create!(:user_id => id, :action => 'session')
+ token.value
+ end
+
+ # Returns true if token is a valid session token for the user whose id is user_id
+ def self.verify_session_token(user_id, token)
+ return false if user_id.blank? || token.blank?
+
+ scope = Token.where(:user_id => user_id, :value => token.to_s, :action => 'session')
+ if Setting.session_lifetime?
+ scope = scope.where("created_on > ?", Setting.session_lifetime.to_i.minutes.ago)
+ end
+ if Setting.session_timeout?
+ scope = scope.where("updated_on > ?", Setting.session_timeout.to_i.minutes.ago)
+ end
+ scope.update_all(:updated_on => Time.now) == 1
+ end
+
# Return an array of project ids for which the user has explicitly turned mail notifications on
def notified_projects_ids
@notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id)
# This helps to keep the account secure in case the associated email account
# was compromised.
def destroy_tokens
- if hashed_password_changed?
- tokens = ['recovery', 'autologin']
+ if hashed_password_changed? || (status_changed? && !active?)
+ tokens = ['recovery', 'autologin', 'session']
Token.where(:user_id => id, :action => tokens).delete_all
end
end
# Disable request forgery protection in test environment.
config.action_controller.allow_forgery_protection = false
+ # Disable sessions verifications in test environment.
+ config.redmine_verify_sessions = false
+
# Print deprecation notices to stderr and the Rails logger.
config.active_support.deprecation = [:stderr, :log]
--- /dev/null
+class AddTokensUpdatedOn < ActiveRecord::Migration
+ def self.up
+ add_column :tokens, :updated_on, :timestamp
+ Token.update_all("updated_on = created_on")
+ end
+
+ def self.down
+ remove_column :tokens, :updated_on
+ end
+end
assert User.try_to_login('jsmith', 'secret123')
end
- def test_change_password_kills_other_sessions
- @request.session[:ctime] = (Time.now - 30.minutes).utc.to_i
-
- jsmith = User.find(2)
- jsmith.passwd_changed_on = Time.now
- jsmith.save!
-
- get 'account'
- assert_response 302
- assert flash[:error].match(/Your session has expired/)
- end
-
def test_change_password_should_redirect_if_user_cannot_change_its_password
User.find(2).update_attribute(:auth_source_id, 1)
--- /dev/null
+# Redmine - project management software
+# Copyright (C) 2006-2015 Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class SessionsControllerTest < ActionController::TestCase
+ include Redmine::I18n
+ tests WelcomeController
+
+ fixtures :users, :email_addresses
+
+ def setup
+ Rails.application.config.redmine_verify_sessions = true
+ end
+
+ def teardown
+ Rails.application.config.redmine_verify_sessions = false
+ end
+
+ def test_session_token_should_be_updated
+ created = 10.hours.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_response :success
+ token.reload
+ assert_equal created, token.created_on
+ assert_not_equal created, token.updated_on
+ assert token.updated_on > created
+ end
+
+ def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
+ created = 2.years.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_lifetime => '0', :session_timeout => '0' do
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_response :success
+ end
+ end
+
+ def test_user_session_without_token_should_be_reset
+ get :index, {}, {:user_id => 2}
+ assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+ end
+
+ def test_expired_user_session_should_be_reset_if_lifetime_enabled
+ created = 2.days.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_timeout => '720' do
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+ end
+ end
+
+ def test_valid_user_session_should_not_be_reset_if_lifetime_enabled
+ created = 3.hours.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_timeout => '720' do
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_response :success
+ end
+ end
+
+ def test_expired_user_session_should_be_reset_if_timeout_enabled
+ created = 4.hours.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_timeout => '60' do
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+ end
+ end
+
+ def test_valid_user_session_should_not_be_reset_if_timeout_enabled
+ created = 10.minutes.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_timeout => '60' do
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_response :success
+ end
+ end
+
+ def test_expired_user_session_should_be_restarted_if_autologin
+ created = 2.hours.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do
+ autologin_token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago)
+ @request.cookies['autologin'] = autologin_token.value
+
+ get :index, {}, {:user_id => 2, :tk => token.value}
+ assert_equal 2, session[:user_id]
+ assert_response :success
+ assert_not_equal token.value, session[:tk]
+ end
+ end
+
+ def test_expired_user_session_should_set_locale
+ set_language_if_valid 'it'
+ user = User.find(2)
+ user.language = 'fr'
+ user.save!
+ created = 4.hours.ago
+ token = Token.create!(:user_id => 2, :action => 'session', :created_on => created, :updated_on => created)
+
+ with_settings :session_timeout => '60' do
+ get :index, {}, {:user_id => user.id, :tk => token.value}
+ assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
+ assert_include "Veuillez vous reconnecter", flash[:error]
+ assert_equal :fr, current_language
+ end
+ end
+
+ def test_anonymous_session_should_not_be_reset
+ with_settings :session_lifetime => '720', :session_timeout => '60' do
+ get :index
+ assert_response :success
+ end
+ end
+end
+++ /dev/null
-# Redmine - project management software
-# Copyright (C) 2006-2015 Jean-Philippe Lang
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-require File.expand_path('../../test_helper', __FILE__)
-
-class SessionStartTest < ActionController::TestCase
- tests AccountController
-
- fixtures :users
-
- def test_login_should_set_session_timestamps
- post :login, :username => 'jsmith', :password => 'jsmith'
- assert_response 302
- assert_equal 2, session[:user_id]
- assert_not_nil session[:ctime]
- assert_not_nil session[:atime]
- end
-end
-
-class SessionsTest < ActionController::TestCase
- include Redmine::I18n
- tests WelcomeController
-
- fixtures :users, :email_addresses
-
- def test_atime_from_user_session_should_be_updated
- created = 2.hours.ago.utc.to_i
- get :index, {}, {:user_id => 2, :ctime => created, :atime => created}
- assert_response :success
- assert_equal created, session[:ctime]
- assert_not_equal created, session[:atime]
- assert session[:atime] > created
- end
-
- def test_user_session_should_not_be_reset_if_lifetime_and_timeout_disabled
- with_settings :session_lifetime => '0', :session_timeout => '0' do
- get :index, {}, {:user_id => 2}
- assert_response :success
- end
- end
-
- def test_user_session_without_ctime_should_be_reset_if_lifetime_enabled
- with_settings :session_lifetime => '720' do
- get :index, {}, {:user_id => 2}
- assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
- end
- end
-
- def test_user_session_with_expired_ctime_should_be_reset_if_lifetime_enabled
- with_settings :session_timeout => '720' do
- get :index, {}, {:user_id => 2, :atime => 2.days.ago.utc.to_i}
- assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
- end
- end
-
- def test_user_session_with_valid_ctime_should_not_be_reset_if_lifetime_enabled
- with_settings :session_timeout => '720' do
- get :index, {}, {:user_id => 2, :atime => 3.hours.ago.utc.to_i}
- assert_response :success
- end
- end
-
- def test_user_session_without_atime_should_be_reset_if_timeout_enabled
- with_settings :session_timeout => '60' do
- get :index, {}, {:user_id => 2}
- assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
- end
- end
-
- def test_user_session_with_expired_atime_should_be_reset_if_timeout_enabled
- with_settings :session_timeout => '60' do
- get :index, {}, {:user_id => 2, :atime => 4.hours.ago.utc.to_i}
- assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
- end
- end
-
- def test_user_session_with_valid_atime_should_not_be_reset_if_timeout_enabled
- with_settings :session_timeout => '60' do
- get :index, {}, {:user_id => 2, :atime => 10.minutes.ago.utc.to_i}
- assert_response :success
- end
- end
-
- def test_expired_user_session_should_be_restarted_if_autologin
- with_settings :session_lifetime => '720', :session_timeout => '60', :autologin => 7 do
- token = Token.create!(:user_id => 2, :action => 'autologin', :created_on => 1.day.ago)
- @request.cookies['autologin'] = token.value
- created = 2.hours.ago.utc.to_i
-
- get :index, {}, {:user_id => 2, :ctime => created, :atime => created}
- assert_equal 2, session[:user_id]
- assert_response :success
- assert_not_equal created, session[:ctime]
- assert session[:ctime] >= created
- end
- end
-
- def test_expired_user_session_should_set_locale
- set_language_if_valid 'it'
- user = User.find(2)
- user.language = 'fr'
- user.save!
-
- with_settings :session_timeout => '60' do
- get :index, {}, {:user_id => user.id, :atime => 4.hours.ago.utc.to_i}
- assert_redirected_to 'http://test.host/login?back_url=http%3A%2F%2Ftest.host%2F'
- assert_include "Veuillez vous reconnecter", flash[:error]
- assert_equal :fr, current_language
- end
- end
-
- def test_anonymous_session_should_not_be_reset
- with_settings :session_lifetime => '720', :session_timeout => '60' do
- get :index
- assert_response :success
- end
- end
-end
assert_template "my/account"
end
+ def test_login_should_set_session_token
+ assert_difference 'Token.count' do
+ log_user('jsmith', 'jsmith')
+
+ assert_equal 2, session[:user_id]
+ assert_not_nil session[:tk]
+ end
+ end
+
def test_autologin
user = User.find(1)
- Setting.autologin = "7"
Token.delete_all
- # User logs in with 'autologin' checked
- post '/login', :username => user.login, :password => 'admin', :autologin => 1
- assert_redirected_to '/my/page'
- token = Token.first
- assert_not_nil token
- assert_equal user, token.user
- assert_equal 'autologin', token.action
- assert_equal user.id, session[:user_id]
- assert_equal token.value, cookies['autologin']
-
- # Session is cleared
- reset!
- User.current = nil
- # Clears user's last login timestamp
- user.update_attribute :last_login_on, nil
- assert_nil user.reload.last_login_on
-
- # User comes back with user's autologin cookie
- cookies[:autologin] = token.value
- get '/my/page'
- assert_response :success
- assert_template 'my/page'
- assert_equal user.id, session[:user_id]
- assert_not_nil user.reload.last_login_on
+ with_settings :autologin => '7' do
+ assert_difference 'Token.count', 2 do
+ # User logs in with 'autologin' checked
+ post '/login', :username => user.login, :password => 'admin', :autologin => 1
+ assert_redirected_to '/my/page'
+ end
+ token = Token.where(:action => 'autologin').order(:id => :desc).first
+ assert_not_nil token
+ assert_equal user, token.user
+ assert_equal 'autologin', token.action
+ assert_equal user.id, session[:user_id]
+ assert_equal token.value, cookies['autologin']
+
+ # Session is cleared
+ reset!
+ User.current = nil
+ # Clears user's last login timestamp
+ user.update_attribute :last_login_on, nil
+ assert_nil user.reload.last_login_on
+
+ # User comes back with user's autologin cookie
+ cookies[:autologin] = token.value
+ get '/my/page'
+ assert_response :success
+ assert_template 'my/page'
+ assert_equal user.id, session[:user_id]
+ assert_not_nil user.reload.last_login_on
+ end
end
def test_autologin_should_use_autologin_cookie_name
Redmine::Configuration.stubs(:[]).with('sudo_mode_timeout').returns(15)
with_settings :autologin => '7' do
- assert_difference 'Token.count' do
+ assert_difference 'Token.count', 2 do
post '/login', :username => 'admin', :password => 'admin', :autologin => 1
assert_response 302
end
get '/my/page'
assert_response :success
- assert_difference 'Token.count', -1 do
+ assert_difference 'Token.count', -2 do
post '/logout'
end
assert cookies['custom_autologin'].blank?
assert_equal 'Password was successfully updated.', flash[:notice]
log_user('jsmith', 'newpass123')
- assert_equal 0, Token.count
+ assert_equal false, Token.exists?(token.id), "Password recovery token was not deleted"
end
def test_user_with_must_change_passwd_should_be_forced_to_change_its_password
--- /dev/null
+# Redmine - project management software
+# Copyright (C) 2006-2015 Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class SessionsTest < Redmine::IntegrationTest
+ fixtures :users, :email_addresses, :roles
+
+ def setup
+ Rails.application.config.redmine_verify_sessions = true
+ end
+
+ def teardown
+ Rails.application.config.redmine_verify_sessions = false
+ end
+
+ def test_change_password_kills_sessions
+ log_user('jsmith', 'jsmith')
+
+ jsmith = User.find(2)
+ jsmith.password = "somenewpassword"
+ jsmith.save!
+
+ get '/my/account'
+ assert_response 302
+ assert flash[:error].match(/Your session has expired/)
+ end
+
+ def test_lock_user_kills_sessions
+ log_user('jsmith', 'jsmith')
+
+ jsmith = User.find(2)
+ assert jsmith.lock!
+ assert jsmith.activate!
+
+ get '/my/account'
+ assert_response 302
+ assert flash[:error].match(/Your session has expired/)
+ end
+
+ def test_update_user_does_not_kill_sessions
+ log_user('jsmith', 'jsmith')
+
+ jsmith = User.find(2)
+ jsmith.firstname = 'Robert'
+ jsmith.save!
+
+ get '/my/account'
+ assert_response 200
+ end
+
+ def test_change_password_generates_a_new_token_for_current_session
+ log_user('jsmith', 'jsmith')
+ assert_not_nil token = session[:tk]
+
+ get '/my/password'
+ assert_response 200
+ post '/my/password', :password => 'jsmith',
+ :new_password => 'secret123',
+ :new_password_confirmation => 'secret123'
+ assert_response 302
+ assert_not_equal token, session[:tk]
+
+ get '/my/account'
+ assert_response 200
+ end
+
+ def test_simultaneous_sessions_should_be_valid
+ first = open_session do |session|
+ session.post "/login", :username => 'jsmith', :password => 'jsmith'
+ end
+ other = open_session do |session|
+ session.post "/login", :username => 'jsmith', :password => 'jsmith'
+ end
+
+ first.get '/my/account'
+ assert_equal 200, first.response.response_code
+ first.post '/logout'
+
+ other.get '/my/account'
+ assert_equal 200, other.response.response_code
+ end
+end
assert Token.exists?(t2.id)
end
+ def test_create_session_token_should_keep_last_10_tokens
+ Token.delete_all
+ user = User.find(1)
+
+ assert_difference 'Token.count', 10 do
+ 10.times { Token.create!(:user => user, :action => 'session') }
+ end
+
+ assert_no_difference 'Token.count' do
+ Token.create!(:user => user, :action => 'session')
+ end
+ end
+
def test_destroy_expired_should_not_destroy_feeds_and_api_tokens
Token.delete_all
projects / redmine.git / commitdiff