Extended session lifetime

config/defaults.inc.php

@@ -646,6 +646,15 @@
 // Session lifetime in minutes
 $config['session_lifetime'] = 10;
 
+// Allow users to extend their session lifetime to up to X days by checking a
+// checkbox at the login. Practically this means that a login will survive
+// network changes, browser restarts (unless they delete cookies), etc, for up
+// to X days without activity.
+// Warning: This reduces the effectiveness of Roundcube's session highjacking
+// mitigation, since a stolen session cookie will be valid for much longer than
+// without this option.
+$config['session_lifetime_extension_days'] = 1;
+
 // Session domain: .example.org
 $config['session_domain'] = '';
 

program/include/rcmail_output_html.php

@@ -2355,6 +2355,18 @@ protected function login_form($attrib)
             'buttons' => [],
         ];
 
+        if ($this->config->session_lifetime_extension_days() > 0) {
+            $session_lifetime_extension_hidden_field = new html_hiddenfield(['name' => '_session_lifetime_extension', 'value' => '0']);
+            $form_content['hidden']['session_lifetime_extension'] = $session_lifetime_extension_hidden_field->show();
+
+            // Make sure the value is in the range 1..365.
+            $session_lifetime_extension_text = str_replace('#', $this->config->session_lifetime_extension_days(), $this->app->gettext('session_lifetime_extension_switch_text'));
+            $session_lifetime_extension_checkbox = new html_checkbox(['name' => '_session_lifetime_extension', 'id' => '_session_lifetime_extension', 'title' => $session_lifetime_extension_text]);
+            $form_content['inputs']['session_lifetime_extension'] = [
+                'content' => html::label(['for' => '_session_lifetime_extension'], [$session_lifetime_extension_checkbox->show(), $session_lifetime_extension_text]),
+            ];
+        }
+
         if (is_array($default_host) && count($default_host) > 1) {
             $input_host = new html_select(['name' => '_host', 'id' => 'rcmloginhost', 'class' => 'custom-select']);
 

program/lib/Roundcube/rcube_config.php

@@ -34,6 +34,7 @@ class rcube_config
     private $userprefs = [];
     private $immutable = [];
     private $client_tz;
+    private $session_lifetime_extension_days;
 
     /**
      * Renamed options
@@ -926,4 +927,18 @@ public static function resolve_timezone_alias($tzname)
 
         return $deprecated_timezones[$tzname] ?? $tzname;
     }
+
+    public function session_lifetime_extension_days(): int
+    {
+        if ($this->session_lifetime_extension_days === null) {
+            $config_value = $this->get('session_lifetime_extension_days', 0);
+            if (is_int($config_value) && $config_value > 0) {
+                // Make sure the value is in the range 1..365.
+                $this->session_lifetime_extension_days = min(max(1, $config_value), 365);
+            } else {
+                $this->session_lifetime_extension_days = 0;
+            }
+        }
+        return $this->session_lifetime_extension_days;
+    }
 }

program/lib/Roundcube/rcube_session.php

@@ -707,6 +707,11 @@ public function check_auth()
             $this->log('IP check failed for ' . $this->key . '; expected ' . $this->ip . '; got ' . rcube_utils::remote_addr());
         }
 
+        // Use the lifetime from the session so the cookie-name matching succeeds.
+        if ($_SESSION['session_lifetime_extension']) {
+            $this->set_lifetime($_SESSION['session_lifetime_extension']);
+        }
+
         if ($result && $this->mkcookie($this->now) != $this->cookie) {
             $this->log('Session auth check failed for ' . $this->key . '; timeslot = ' . date('Y-m-d H:i:s', $this->now));
             $result = false;
@@ -725,6 +730,10 @@ public function check_auth()
         if (!$result) {
             $this->log('Session authentication failed for ' . $this->key
                 . '; invalid auth cookie sent; timeslot = ' . date('Y-m-d H:i:s', $prev));
+        } else {
+            // Re-set the auth- and session-id-cookie, because in case of an extended session lifetime they can have an
+            // expiry date in the browser, which we need to extend.
+            $this->set_auth_cookie();
         }
 
         return $result;
@@ -733,10 +742,20 @@ public function check_auth()
     /**
      * Set session authentication cookie
      */
-    public function set_auth_cookie()
+    public function set_auth_cookie(bool $session_lifetime_extension = false): void
     {
+        if ($session_lifetime_extension === true) {
+            if ($this->config->session_lifetime_extension_days() > 0) {
+                $lifetime_seconds = $this->config->session_lifetime_extension_days() * 24 * 60 * 60;
+                $this->set_lifetime($lifetime_seconds);
+                $_SESSION['session_lifetime_extension'] = $lifetime_seconds;
+                $cookie_expiry = time() + $lifetime_seconds;
+                // Set the sessid-cookie (again) to force/renew its expiration date.
+                rcube_utils::setcookie(ini_get('session.name'), session_id(), $cookie_expiry);
+            }
+        }
         $this->cookie = $this->mkcookie($this->now);
-        rcube_utils::setcookie($this->cookiename, $this->cookie, 0);
+        rcube_utils::setcookie($this->cookiename, $this->cookie, $cookie_expiry ?? 0);
         $_COOKIE[$this->cookiename] = $this->cookie;
     }
 

program/localization/en_US/labels.inc

@@ -21,6 +21,7 @@ $labels['password'] = 'Password';
 $labels['server'] = 'Server';
 $labels['login'] = 'Login';
 $labels['oauthlogin'] = 'Login with $provider';
+$labels['session_lifetime_extension_switch_text'] = 'Remember login for up to # days';
 
 // taskbar
 $labels['menu'] = 'Menu';

public_html/index.php

@@ -123,8 +123,8 @@
         $RCMAIL->session->remove('temp');
         $RCMAIL->session->regenerate_id(false);
 
-        // send auth cookie if necessary
-        $RCMAIL->session->set_auth_cookie();
+        $session_lifetime_extension = rcube_utils::get_input_string('_session_lifetime_extension', rcube_utils::INPUT_POST);
+        $RCMAIL->session->set_auth_cookie($session_lifetime_extension === 'on');
 
         // log successful login
         $RCMAIL->log_login();

skins/elastic/ui.js

@@ -1160,6 +1160,11 @@ function rcube_elastic_ui() {
                     icon_name = input.data('icon'),
                     icon = $('<i>').attr('class', 'input-group-text icon ' + input.attr('name').replace('_', ''));
 
+                // Ignore checkboxes, they are prettified well enough by pretty_checkbox() already.
+                if (input.attr('type') === 'checkbox') {
+                    return;
+                }
+
                 if (icon_name) {
                     icon.addClass(icon_name);
                 }