session manager

Author: cconard96

CHANGELOG.md

@@ -7,7 +7,6 @@ The present file will list all changes made to the project; according to the
 ## [12.0.0] unreleased
 
 ### Added
-- Sessions tab for OAuth Clients to display non-expired sessions associated with the client and allow revoking them.
 - Improved client IP detection.
   If your GLPI instance is behind a reverse proxy, you should add its IP(s) the new `GLPI_TRUSTED_REVERSE_PROXIES` constant and modify the new `GLPI_REVERSE_PROXY_HEADERS` constant to include the headers your proxy uses to forward the client IP.
   Only the required HTTP headers should be listed for better security as any header not handled by the proxy could be spoofed by the client.

composer.json

@@ -50,6 +50,7 @@
         "league/oauth2-client": "^2.9",
         "league/oauth2-google": "^5.0",
         "league/oauth2-server": "^9.3",
+        "matomo/device-detector": "^6.5",
         "mexitek/phpcolors": "^1.0",
         "monolog/monolog": "^3.10",
         "paragonie/sodium_compat": "^2.5",

composer.lock

@@ -0,0 +1,99 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2026 Teclib' and contributors.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+/**
+ * @var Migration $migration
+ * @var DBmysql $DB
+ */
+
+use Ramsey\Uuid\Uuid;
+
+if (!$DB->tableExists('glpi_user_sessions')) {
+    $DB->doQuery(<<<SQL
+        CREATE TABLE `glpi_user_sessions` (
+            `id` int unsigned NOT NULL AUTO_INCREMENT,
+            `users_id` int unsigned NOT NULL,
+            `session_token_hash` varchar(64) NOT NULL,
+            `session_file` varchar(261) NOT NULL COMMENT 'Session filename. PHP allows up to 256 characters for session IDs + the "sess_" prefix used by default.',
+            `ip_address` varchar(45) NOT NULL,
+            `user_agent` varchar(512) NOT NULL,
+            `auth_type` tinyint NOT NULL,
+            `created_at` timestamp NOT NULL,
+            `last_activity_at` timestamp NOT NULL,
+            PRIMARY KEY (`id`),
+            UNIQUE KEY `session_token_hash` (`session_token_hash`),
+            KEY `users_id` (`users_id`),
+            KEY `last_activity_at` (`last_activity_at`)
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+SQL);
+}
+
+if (!$DB->tableExists('glpi_user_session_history')) {
+    $DB->doQuery(<<<SQL
+        CREATE TABLE `glpi_user_session_history` (
+            `id` int unsigned NOT NULL AUTO_INCREMENT,
+            `users_id` int unsigned NOT NULL,
+            `session_token_hash` varchar(64) NOT NULL,
+            `ip_address` varchar(45) NOT NULL,
+            `user_agent` varchar(512) NOT NULL,
+            `auth_type` tinyint NOT NULL,
+            `logged_in_at` timestamp NOT NULL,
+            `logged_out_at` timestamp NULL DEFAULT NULL,
+            `logout_reason` enum('user', 'admin', 'expired') DEFAULT NULL,
+            `users_id_revoked_by` int unsigned DEFAULT NULL,
+            PRIMARY KEY (`id`),
+            UNIQUE KEY `session_token_hash` (`session_token_hash`),
+            KEY `users_id` (`users_id`, `logged_in_at` DESC),
+            KEY `users_id_revoked_by` (`users_id_revoked_by`),
+            KEY `logged_out_at` (`logged_out_at`)
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+SQL);
+}
+
+// Add a uuid column to glpi_oauth_access_tokens without NOT NULL constraint, generate UUIDs for existing records, then add the NOT NULL constraint
+if (!$DB->fieldExists('glpi_oauth_access_tokens', 'uuid')) {
+    $migration->addField('glpi_oauth_access_tokens', 'uuid', 'varchar(255)', ['null' => true, 'after' => 'identifier']);
+    $migration->migrationOneTable('glpi_oauth_access_tokens');
+    // Generating UUIDs in PHP because MySQL only has UUID() which is v1 and typically expect v4.
+    $count = countElementsInTable('glpi_oauth_access_tokens', ['uuid' => null]);
+    $it = $DB->request([
+        'SELECT' => ['identifier'],
+        'FROM' => 'glpi_oauth_access_tokens',
+        'WHERE' => ['uuid' => null],
+    ]);
+    foreach ($it as $row) {
+        $DB->update('glpi_oauth_access_tokens', ['uuid' => Uuid::uuid4()->toString()], ['identifier' => $row['identifier']]);
+    }
+    $migration->changeField('glpi_oauth_access_tokens', 'uuid', 'uuid', 'varchar(255)', ['null' => false, 'after' => 'identifier']);
+}

install/migrations/update_11.0.x_to_12.0.0/sessions.php

@@ -10024,12 +10024,14 @@ CREATE TABLE `glpi_changesatisfactions` (
 DROP TABLE IF EXISTS `glpi_oauth_access_tokens`;
 CREATE TABLE `glpi_oauth_access_tokens` (
    `identifier` varchar(255) NOT NULL,
+   `uuid` varchar(255) NOT NULL,
    `client` varchar(255) NOT NULL,
    `date_expiration` timestamp NOT NULL,
    `user_identifier` varchar(255) DEFAULT NULL,
    `scopes` text DEFAULT NULL,
    `ip_address` varchar(45) DEFAULT NULL,
    PRIMARY KEY (`identifier`),
+   KEY `uuid` (`uuid`),
    KEY `client` (`client`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 
@@ -10502,8 +10504,6 @@ CREATE TABLE `glpi_itemtranslations_itemtranslations` (
   KEY `item` (`itemtype`, `items_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 
-### Dump table glpi_sharetokens
-
 DROP TABLE IF EXISTS `glpi_sharetokens`;
 CREATE TABLE `glpi_sharetokens` (
   `id` int unsigned NOT NULL AUTO_INCREMENT,
@@ -10529,4 +10529,41 @@ CREATE TABLE `glpi_sharetokens` (
   KEY `date_expiration` (`date_expiration`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
 
+
+DROP TABLE IF EXISTS `glpi_user_sessions`;
+CREATE TABLE `glpi_user_sessions` (
+    `id` int unsigned NOT NULL AUTO_INCREMENT,
+    `users_id` int unsigned NOT NULL,
+    `session_token_hash` varchar(64) NOT NULL,
+    `session_file` varchar(261) NOT NULL COMMENT 'Session filename. PHP allows up to 256 characters for session IDs + the "sess_" prefix used by default.',
+    `ip_address` varchar(45) NOT NULL,
+    `user_agent` varchar(512) NOT NULL,
+    `auth_type` tinyint NOT NULL,
+    `created_at` timestamp NOT NULL,
+    `last_activity_at` timestamp NOT NULL,
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `session_token_hash` (`session_token_hash`),
+    KEY `users_id` (`users_id`),
+    KEY `last_activity_at` (`last_activity_at`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+
+DROP TABLE IF EXISTS `glpi_user_session_history`;
+CREATE TABLE `glpi_user_session_history` (
+    `id` int unsigned NOT NULL AUTO_INCREMENT,
+    `users_id` int unsigned NOT NULL,
+    `session_token_hash` varchar(64) NOT NULL,
+    `ip_address` varchar(45) NOT NULL,
+    `user_agent` varchar(512) NOT NULL,
+    `auth_type` tinyint NOT NULL,
+    `logged_in_at` timestamp NOT NULL,
+    `logged_out_at` timestamp NULL DEFAULT NULL,
+    `logout_reason` enum('user', 'admin', 'expired') DEFAULT NULL,
+    `users_id_revoked_by` int unsigned DEFAULT NULL,
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `session_token_hash` (`session_token_hash`),
+    KEY `users_id` (`users_id`, `logged_in_at` DESC),
+    KEY `users_id_revoked_by` (`users_id_revoked_by`),
+    KEY `logged_out_at` (`logged_out_at`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci ROW_FORMAT=DYNAMIC;
+
 SET FOREIGN_KEY_CHECKS=1;

install/mysql/glpi-empty.sql

@@ -1773,4 +1773,12 @@ public static function setRememberMeCookie(string $cookie_value): void
             $_COOKIE[$cookie_name] = $cookie_value;
         }
     }
+
+    /**
+     * @return int
+     */
+    public function getAuthType(): int
+    {
+        return $this->auth_type;
+    }
 }

src/Auth.php

@@ -41,6 +41,7 @@
 use Glpi\DBAL\QueryFunction;
 use Glpi\Error\ErrorHandler;
 use Glpi\Event;
+use Glpi\Security\SessionTracker;
 use Safe\Exceptions\FilesystemException;
 use Safe\Exceptions\InfoException;
 
@@ -1552,12 +1553,14 @@ public static function cronSession(self $task): int
                 // Delete session file if not delete before
                 try {
                     @unlink($filename);
+                    $base_filename = basename($filename);
                     ++$nb;
                 } catch (FilesystemException $e) {
-                    //mepty catch
+                    //empty catch
                 }
             }
         }
+        SessionTracker::revokeSessionsByAge($maxlifetime);
 
         $task->setVolume($nb);
         if ($nb) {

src/CronTask.php

@@ -92,6 +92,7 @@ class DBmysqlIterator implements SeekableIterator, Countable
         '|',
         'IN',
         'NOT IN',
+        'BETWEEN',
     ];
 
     /**