Further session protections and fixes

Use MaxAge instead of Expires Verify if the cookie is not too old and not from the future Verify if the user exists and unchanged Refresh not sooner than 24h Do not refresh temporary sessions Delete cookies on logout
2025-07-23 19:42:57 +03:00 · 2023-12-28 16:20:13 +05:00 · 2023-12-28 16:20:13 +05:00 · bee5c54127
commit bee5c54127
parent 91427427f2
5 changed files with 156 additions and 7 deletions
--- a/util/cache.go
+++ b/util/cache.go
@ -5,3 +5,4 @@ import "sync"
 var IPToSubnetRange = map[string]uint16{}
 var TgUseridToClientID = map[int64][]string{}
 var TgUseridToClientIDMutex sync.RWMutex
+var DBUsersToCRC32 = map[string]uint32{}
--- a/util/util.go
+++ b/util/util.go
@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"hash/crc32"
 	"io"
 	"io/fs"
 	"math/rand"
@ -827,3 +828,29 @@ func filterStringSlice(s []string, excludedStr string) []string {
 	}
 	return filtered
 }
+
+func GetDBUserCRC32(dbuser model.User) uint32 {
+	var isAdmin byte = 0
+	if dbuser.Admin {
+		isAdmin = 1
+	}
+	return crc32.ChecksumIEEE(ConcatMultipleSlices([]byte(dbuser.Username), []byte{isAdmin}, []byte(dbuser.PasswordHash), []byte(dbuser.Password)))
+}
+
+func ConcatMultipleSlices(slices ...[]byte) []byte {
+	var totalLen int
+
+	for _, s := range slices {
+		totalLen += len(s)
+	}
+
+	result := make([]byte, totalLen)
+
+	var i int
+
+	for _, s := range slices {
+		i += copy(result[i:], s)
+	}
+
+	return result
+}