Fixed session IP check still being performed when CookieIpCheck is false.

2025-02-15 04:21:51 +00:00 · 2022-02-24 12:22:01 -08:00 · 2022-02-24 12:22:01 -08:00 · 15e1718296
commit 15e1718296
parent db707b6525
2 changed files with 5 additions and 5 deletions
--- a/certoperations.js
+++ b/certoperations.js
@ -233,7 +233,7 @@ module.exports.CertificateOperations = function (parent) {
                // Compute the SHA256 and SHA1 hashes of the root certificate
                for (var k in r.certs) {
-                    if (r.certs[k].subject.hash != r.certs[k].issuer.hash) { amtacmactivation.acmCertErrors.push("Invalid Intel AMT ACM certificate chain."); continue; }
+                    if (r.certs[k].subject.hash != r.certs[k].issuer.hash) continue;
                    const certdata = obj.forge.asn1.toDer(obj.pki.certificateToAsn1(r.certs[k])).data;
                    var md = obj.forge.md.sha256.create();
                    md.update(certdata);
--- a/webserver.js
+++ b/webserver.js
@ -1140,7 +1140,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                                var maxCookieAge = domain.twofactorcookiedurationdays;
                                if (typeof maxCookieAge != 'number') { maxCookieAge = 30; }
                                const twoFactorCookie = obj.parent.encodeCookie({ userid: user._id, expire: maxCookieAge * 24 * 60 /*, ip: req.clientIp*/ }, obj.parent.loginCookieEncryptionKey);
-                                res.cookie('twofactor', twoFactorCookie, { maxAge: (maxCookieAge * 24 * 60 * 60 * 1000), httpOnly: true, sameSite: 'strict', secure: true });
+                                res.cookie('twofactor', twoFactorCookie, { maxAge: (maxCookieAge * 24 * 60 * 60 * 1000), httpOnly: true, sameSite: ((parent.config.settings.cookieipcheck === false) ? 'none' : 'strict'), secure: true });
                            }
                            // Check if email address needs to be confirmed
@ -3024,7 +3024,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                            var maxCookieAge = domain.twofactorcookiedurationdays;
                            if (typeof maxCookieAge != 'number') { maxCookieAge = 30; }
                            const twoFactorCookie = obj.parent.encodeCookie({ userid: cookie.u, expire: maxCookieAge * 24 * 60 /*, ip: req.clientIp*/ }, obj.parent.loginCookieEncryptionKey);
-                            res.cookie('twofactor', twoFactorCookie, { maxAge: (maxCookieAge * 24 * 60 * 60 * 1000), httpOnly: true, sameSite: 'strict', secure: true });
+                            res.cookie('twofactor', twoFactorCookie, { maxAge: (maxCookieAge * 24 * 60 * 60 * 1000), httpOnly: true, sameSite: ((parent.config.settings.cookieipcheck === false) ? 'none' : 'strict'), secure: true });
                        }
                        handleRootRequestEx(req, res, domain);
@ -5629,7 +5629,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
            keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
            secure: (obj.args.tlsoffload == null) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
        }
-        if (obj.args.sessionsamesite != null) { sessionOptions.sameSite = obj.args.sessionsamesite; } else { sessionOptions.sameSite = 'strict'; }
+        if (obj.args.sessionsamesite != null) { sessionOptions.sameSite = obj.args.sessionsamesite; } else { sessionOptions.sameSite = ((parent.config.settings.cookieipcheck === false) ? 'none' : 'strict'); }
        if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }
        obj.app.use(obj.session(sessionOptions));
@ -5763,7 +5763,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
            }
            // Check the session if bound to the external IP address
-            if ((req.session.ip != null) && (req.clientIp != null) && (req.session.ip != req.clientIp)) { req.session = {}; }
+            if ((parent.config.settings.cookieipcheck !== false) && (req.session.ip != null) && (req.clientIp != null) && (req.session.ip != req.clientIp)) { req.session = {}; }
            // Extend the session time by forcing a change to the session every minute.
            if (req.session.userid != null) { req.session.t = Math.floor(Date.now() / 60e3); } else { delete req.session.t; }