Mirrors/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2026-01-23 02:14:26 +00:00
Code Issues Projects Releases Wiki Activity

Merge 64fe2e6d0d into e727620bd3

Browse source
This commit is contained in:
Copilot 2026-01-09 12:09:24 -03:00 committed by GitHub
commit fdce2ed274
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
data/web/inc/functions.inc.php
View file

@ -3397,6 +3397,8 @@ function set_user_loggedin_session($user) {
session_regenerate_id(true);
$_SESSION['mailcow_cc_username'] = $user;
$_SESSION['mailcow_cc_role'] = 'user';
// Update User-Agent after session regeneration to prevent validation errors
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
$sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
$_SESSION['sogo-sso-user-allowed'][] = $user;
$_SESSION['sogo-sso-pass'] = $sogo_sso_pass;

9
data/web/inc/sessions.inc.php
View file

@ -43,6 +43,9 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
session_unset();
session_destroy();
session_start();
// After destroying session, we need to reset the User-Agent for the new session
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
}
$_SESSION['LAST_ACTIVITY'] = time();
@ -134,6 +137,12 @@ function session_check() {
return true;
}
if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
// In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
// Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
return true;
}
$_SESSION['return'][] = array(
'type' => 'warning',
'msg' => 'session_ua'

2
data/web/inc/triggers.admin.inc.php
View file

@ -50,6 +50,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
session_regenerate_id(true);
$_SESSION['mailcow_cc_username'] = $login_user;
$_SESSION['mailcow_cc_role'] = "admin";
// Update User-Agent after session regeneration to prevent validation errors
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
header("Location: /admin/dashboard");
die();
}

4
data/web/inc/triggers.domainadmin.inc.php
View file

@ -7,6 +7,8 @@ if (!empty($_GET['sso_token'])) {
session_regenerate_id(true);
$_SESSION['mailcow_cc_username'] = $username;
$_SESSION['mailcow_cc_role'] = 'domainadmin';
// Update User-Agent after session regeneration to prevent validation errors
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
header('Location: /domainadmin/mailbox');
}
}
@ -61,6 +63,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
session_regenerate_id(true);
$_SESSION['mailcow_cc_username'] = $login_user;
$_SESSION['mailcow_cc_role'] = "domainadmin";
// Update User-Agent after session regeneration to prevent validation errors
$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
header("Location: /domainadmin/mailbox");
die();
}