提升Cookie安全性

2025-11-04 05:00:25 +08:00 · 2023-04-09 17:10:53 +08:00
parent 368149b70c
commit 9e3770aac9
5 changed files with 83 additions and 29 deletions
--- a/internal/nodes/session_manager.go
+++ b/internal/nodes/session_manager.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 )

+// SessionManager SESSION管理
 type SessionManager struct {
 	life uint
 }
--- a/internal/web/actions/default/index/index.go
+++ b/internal/web/actions/default/index/index.go
@@ -9,6 +9,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
 	adminserverutils "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/settings/server/admin-server-utils"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
 	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
@@ -103,6 +104,9 @@ func (this *IndexAction) RunGet(params struct {
 		this.Data["rememberLogin"] = securityConfig.AllowRememberLogin
 	}

+	// 删除Cookie
+	loginutils.UnsetCookie(this.Object())
+
 	this.Show()
 }

--- a/internal/web/actions/default/index/loginutils/utils.go
+++ b/internal/web/actions/default/index/loginutils/utils.go
@@ -0,0 +1,60 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package loginutils
+
+import (
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/iwind/TeaGo/actions"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"net/http"
+)
+
+// CalculateClientFingerprint 计算客户端指纹
+func CalculateClientFingerprint(action *actions.ActionObject) string {
+	return stringutil.Md5(action.RequestRemoteIP() + "@" + action.Request.UserAgent())
+}
+
+func SetCookie(action *actions.ActionObject, remember bool) {
+	if remember {
+		var cookie = &http.Cookie{
+			Name:     teaconst.CookieSID,
+			Value:    action.Session().Sid,
+			Path:     "/",
+			MaxAge:   14 * 86400,
+			HttpOnly: true,
+		}
+		if action.Request.TLS != nil {
+			cookie.SameSite = http.SameSiteStrictMode
+			cookie.Secure = true
+		}
+		action.AddCookie(cookie)
+	} else {
+		var cookie = &http.Cookie{
+			Name:     teaconst.CookieSID,
+			Value:    action.Session().Sid,
+			Path:     "/",
+			MaxAge:   0,
+			HttpOnly: true,
+		}
+		if action.Request.TLS != nil {
+			cookie.SameSite = http.SameSiteStrictMode
+			cookie.Secure = true
+		}
+		action.AddCookie(cookie)
+	}
+}
+
+func UnsetCookie(action *actions.ActionObject) {
+	cookie := &http.Cookie{
+		Name:     teaconst.CookieSID,
+		Value:    action.Session().Sid,
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+	}
+	if action.Request.TLS != nil {
+		cookie.SameSite = http.SameSiteStrictMode
+		cookie.Secure = true
+	}
+	action.AddCookie(cookie)
+}
--- a/internal/web/helpers/user_must_auth.go
+++ b/internal/web/helpers/user_must_auth.go
@@ -7,6 +7,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/goman"
 	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
 	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
@@ -173,8 +174,19 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 		return false
 	}

+	// 检查指纹
+	var clientFingerprint = session.GetString("@fingerprint")
+	if len(clientFingerprint) > 0 && clientFingerprint != loginutils.CalculateClientFingerprint(action) {
+		loginutils.UnsetCookie(action)
+		session.Delete()
+
+		this.login(action)
+		return false
+	}
+
 	// 检查用户是否存在
 	if !configloaders.CheckAdmin(adminId) {
+		loginutils.UnsetCookie(action)
 		session.Delete()

 		this.login(action)
--- a/internal/web/helpers/user_should_auth.go
+++ b/internal/web/helpers/user_should_auth.go
@@ -4,6 +4,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils/numberutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
 	"github.com/iwind/TeaGo/actions"
 	"net"
 	"net/http"
@@ -53,35 +54,10 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN

 // StoreAdmin 存储用户名到SESSION
 func (this *UserShouldAuth) StoreAdmin(adminId int64, remember bool) {
-	// 修改sid的时间
-	if remember {
-		cookie := &http.Cookie{
-			Name:     teaconst.CookieSID,
-			Value:    this.action.Session().Sid,
-			Path:     "/",
-			MaxAge:   14 * 86400,
-			HttpOnly: true,
-		}
-		if this.action.Request.TLS != nil {
-			cookie.SameSite = http.SameSiteStrictMode
-			cookie.Secure = true
-		}
-		this.action.AddCookie(cookie)
-	} else {
-		cookie := &http.Cookie{
-			Name:     teaconst.CookieSID,
-			Value:    this.action.Session().Sid,
-			Path:     "/",
-			MaxAge:   0,
-			HttpOnly: true,
-		}
-		if this.action.Request.TLS != nil {
-			cookie.SameSite = http.SameSiteStrictMode
-			cookie.Secure = true
-		}
-		this.action.AddCookie(cookie)
-	}
-	this.action.Session().Write("adminId", numberutils.FormatInt64(adminId))
+	loginutils.SetCookie(this.action, remember)
+	var session = this.action.Session()
+	session.Write("adminId", numberutils.FormatInt64(adminId))
+	session.Write("@fingerprint", loginutils.CalculateClientFingerprint(this.action))
 }

 func (this *UserShouldAuth) IsUser() bool {
@@ -93,5 +69,6 @@ func (this *UserShouldAuth) AdminId() int {
 }

 func (this *UserShouldAuth) Logout() {
+	loginutils.UnsetCookie(this.action)
 	this.action.Session().Delete()
 }