Session lifetime extension

aka Persisted Login plugin functionality in core code.

Allows admins to set `$config['session_lifetime_extension_days']`, which
allows users to switch on an extended session lifetime in the login form.
In effect, these user sessions are valid for the configured number of days
after the last activity, even across network outages, closed browsers (as long
as they keep their cookies), etc.

Author: pabzm

config/defaults.inc.php

@@ -646,6 +646,15 @@
 // Session lifetime in minutes
 $config['session_lifetime'] = 10;
 
+// Allow users to extend their session lifetime to up to X days by checking a
+// checkbox at the login. Practically this means that a login will survive
+// network changes, browser restarts (unless they delete cookies), etc, for up
+// to X days without activity.
+// Warning: This reduces the effectiveness of Roundcube's session highjacking
+// mitigation, since a stolen session cookie will be valid for much longer than
+// without this option.
+$config['session_lifetime_extension_days'] = 1;
+
 // Session domain: .example.org
 $config['session_domain'] = '';
 

program/include/rcmail_output_html.php

@@ -2355,6 +2355,18 @@ protected function login_form($attrib)
             'buttons' => [],
         ];
 
+        if ($this->config->session_lifetime_extension_days() > 0) {
+            $session_lifetime_extension_hidden_field = new html_hiddenfield(['name' => '_session_lifetime_extension', 'value' => '0']);
+            $form_content['hidden']['session_lifetime_extension'] = $session_lifetime_extension_hidden_field->show();
+
+            // Make sure the value is in the range 1..365.
+            $session_lifetime_extension_text = str_replace('#', $this->config->session_lifetime_extension_days(), $this->app->gettext('session_lifetime_extension_switch_text'));
+            $session_lifetime_extension_checkbox = new html_checkbox(['name' => '_session_lifetime_extension', 'id' => '_session_lifetime_extension', 'title' => $session_lifetime_extension_text]);
+            $form_content['inputs']['session_lifetime_extension'] = [
+                'content' => html::label(['for' => '_session_lifetime_extension'], [$session_lifetime_extension_checkbox->show(), $session_lifetime_extension_text]),
+            ];
+        }
+
         if (is_array($default_host) && count($default_host) > 1) {
             $input_host = new html_select(['name' => '_host', 'id' => 'rcmloginhost', 'class' => 'custom-select']);
 

program/lib/Roundcube/rcube_config.php

@@ -34,6 +34,7 @@ class rcube_config
     private $userprefs = [];
     private $immutable = [];
     private $client_tz;
+    private $session_lifetime_extension_days;
 
     /**
      * Renamed options
@@ -926,4 +927,18 @@ public static function resolve_timezone_alias($tzname)
 
         return $deprecated_timezones[$tzname] ?? $tzname;
     }
+
+    public function session_lifetime_extension_days(): int
+    {
+        if ($this->session_lifetime_extension_days === null) {
+            $config_value = $this->get('session_lifetime_extension_days', 0);
+            if (is_int($config_value) && $config_value > 0) {
+                // Make sure the value is in the range 1..365.
+                $this->session_lifetime_extension_days = min(max(1, $config_value), 365);
+            } else {
+                $this->session_lifetime_extension_days = 0;
+            }
+        }
+        return $this->session_lifetime_extension_days;
+    }
 }

program/lib/Roundcube/rcube_session.php

@@ -707,6 +707,11 @@ public function check_auth()
             $this->log('IP check failed for ' . $this->key . '; expected ' . $this->ip . '; got ' . rcube_utils::remote_addr());
         }
 
+        // Use the lifetime from the session so the cookie-name matching succeeds.
+        if ($_SESSION['session_lifetime_extension']) {
+            $this->set_lifetime($_SESSION['session_lifetime_extension']);
+        }
+
         if ($result && $this->mkcookie($this->now) != $this->cookie) {
             $this->log('Session auth check failed for ' . $this->key . '; timeslot = ' . date('Y-m-d H:i:s', $this->now));
             $result = false;
@@ -725,6 +730,10 @@ public function check_auth()
         if (!$result) {
             $this->log('Session authentication failed for ' . $this->key
                 . '; invalid auth cookie sent; timeslot = ' . date('Y-m-d H:i:s', $prev));
+        } else {
+            // Re-set the auth- and session-id-cookie, because in case of an extended session lifetime they can have an
+            // expiry date in the browser, which we need to extend.
+            $this->set_auth_cookie();
         }
 
         return $result;
@@ -733,10 +742,20 @@ public function check_auth()
     /**
      * Set session authentication cookie
      */
-    public function set_auth_cookie()
+    public function set_auth_cookie(bool $session_lifetime_extension = false): void
     {
+        if ($session_lifetime_extension === true) {
+            if ($this->config->session_lifetime_extension_days() > 0) {
+                $lifetime_seconds = $this->config->session_lifetime_extension_days() * 24 * 60 * 60;
+                $this->set_lifetime($lifetime_seconds);
+                $_SESSION['session_lifetime_extension'] = $lifetime_seconds;
+                $cookie_expiry = time() + $lifetime_seconds;
+                // Set the sessid-cookie (again) to force/renew its expiration date.
+                rcube_utils::setcookie(ini_get('session.name'), session_id(), $cookie_expiry);
+            }
+        }
         $this->cookie = $this->mkcookie($this->now);
-        rcube_utils::setcookie($this->cookiename, $this->cookie, 0);
+        rcube_utils::setcookie($this->cookiename, $this->cookie, $cookie_expiry ?? 0);
         $_COOKIE[$this->cookiename] = $this->cookie;
     }
 

program/localization/en_US/labels.inc

@@ -21,6 +21,7 @@ $labels['password'] = 'Password';
 $labels['server'] = 'Server';
 $labels['login'] = 'Login';
 $labels['oauthlogin'] = 'Login with $provider';
+$labels['session_lifetime_extension_switch_text'] = 'Remember login for up to # days';
 
 // taskbar
 $labels['menu'] = 'Menu';

public_html/index.php

@@ -123,8 +123,8 @@
         $RCMAIL->session->remove('temp');
         $RCMAIL->session->regenerate_id(false);
 
-        // send auth cookie if necessary
-        $RCMAIL->session->set_auth_cookie();
+        $session_lifetime_extension = rcube_utils::get_input_string('_session_lifetime_extension', rcube_utils::INPUT_POST);
+        $RCMAIL->session->set_auth_cookie($session_lifetime_extension === 'on');
 
         // log successful login
         $RCMAIL->log_login();

skins/elastic/ui.js

@@ -1160,6 +1160,11 @@ function rcube_elastic_ui() {
                     icon_name = input.data('icon'),
                     icon = $('<i>').attr('class', 'input-group-text icon ' + input.attr('name').replace('_', ''));
 
+                // Ignore checkboxes, they are prettified well enough by pretty_checkbox() already.
+                if (input.attr('type') === 'checkbox') {
+                    return;
+                }
+
                 if (icon_name) {
                     icon.addClass(icon_name);
                 }