From 2d30394150ff93c03d3326dcff486084c98b4c79 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Fri, 11 Aug 2023 12:09:23 +0200
Subject: [PATCH] correctly redirect to last-page if session is timed out and
 remove passing script/qrystr url parameters

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 admin_admins.php            |  1 +
 admin_customers.php         |  1 +
 admin_index.php             |  1 +
 index.php                   | 19 ++++++++++++-------
 lib/Froxlor/UI/Panel/UI.php |  3 ++-
 lib/init.php                | 15 ++++++++-------
 6 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/admin_admins.php b/admin_admins.php
index 13b38bab..98a522f2 100644
--- a/admin_admins.php
+++ b/admin_admins.php
@@ -77,6 +77,7 @@ if (($page == 'admins' || $page == 'overview') && $userinfo['change_serversettin
 			$result['switched_user'] = CurrentUser::getData();
 			$result['adminsession'] = 1;
 			$result['userid'] = $result['adminid'];
+			session_regenerate_id(true);
 			CurrentUser::setData($result);
 
 			$log->logAction(
diff --git a/admin_customers.php b/admin_customers.php
index 4a403a79..72062cca 100644
--- a/admin_customers.php
+++ b/admin_customers.php
@@ -93,6 +93,7 @@ if (($page == 'customers' || $page == 'overview') && $userinfo['customers'] != '
 			$result['switched_user'] = CurrentUser::getData();
 			$result['adminsession'] = 0;
 			$result['userid'] = $result['customerid'];
+			session_regenerate_id(true);
 			CurrentUser::setData($result);
 
 			$log->logAction(FroxlorLogger::ADM_ACTION, LOG_INFO, "switched user and is now '" . $destination_user . "'");
diff --git a/admin_index.php b/admin_index.php
index f5479e4e..adb9b70b 100644
--- a/admin_index.php
+++ b/admin_index.php
@@ -53,6 +53,7 @@ if ($action == 'logout') {
 	if (is_array(CurrentUser::getField('switched_user'))) {
 		$result = CurrentUser::getData();
 		$result = $result['switched_user'];
+		session_regenerate_id(true);
 		CurrentUser::setData($result);
 		$target = (isset($_GET['target']) ? $_GET['target'] : 'index');
 		$redirect = "admin_" . $target . ".php";
diff --git a/index.php b/index.php
index faa69323..4370b767 100644
--- a/index.php
+++ b/index.php
@@ -40,7 +40,6 @@ use Froxlor\UI\Panel\UI;
 use Froxlor\UI\Response;
 use Froxlor\User;
 use Froxlor\Validate\Validate;
-use Froxlor\Language;
 
 if ($action == '') {
 	$action = 'login';
@@ -433,8 +432,13 @@ if ($action == '2fa_entercode') {
 		if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
 			$lastqrystr = urlencode($_REQUEST['qrystr']);
 		}
-		$_SESSION['lastscript'] = $lastscript;
-		$_SESSION['lastqrystr'] = $lastqrystr;
+
+		if (!empty($lastscript)) {
+			$_SESSION['lastscript'] = $lastscript;
+		}
+		if (!empty($lastqrystr)) {
+			$_SESSION['lastqrystr'] = $lastqrystr;
+		}
 
 		UI::view('login/login.html.twig', [
 			'pagetitle' => 'Login',
@@ -633,7 +637,7 @@ if ($action == 'forgotpwd') {
 
 	UI::view('login/fpwd.html.twig', [
 		'pagetitle' => lng('login.presend'),
-		'formaction' => 'index.php?action='.$action,
+		'formaction' => 'index.php?action=' . $action,
 		'message' => $message,
 	]);
 }
@@ -733,6 +737,7 @@ if ($action == 'resetpwd') {
 function finishLogin($userinfo)
 {
 	if (isset($userinfo['userid']) && $userinfo['userid'] != '') {
+		session_regenerate_id(true);
 		CurrentUser::setData($userinfo);
 
 		$language = $userinfo['def_language'] ?? Settings::Get('panel.standardlanguage');
@@ -746,7 +751,7 @@ function finishLogin($userinfo)
 		}
 
 		$qryparams = [];
-		if (isset($_SESSION['lastqrystr']) && !empty($_SESSION['lastqrystr'])) {
+		if (!empty($_SESSION['lastqrystr'])) {
 			parse_str(urldecode($_SESSION['lastqrystr']), $qryparams);
 			unset($_SESSION['lastqrystr']);
 		}
@@ -755,7 +760,7 @@ function finishLogin($userinfo)
 			if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
 				Response::redirectTo('admin_updates.php?page=overview');
 			} else {
-				if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) {
+				if (!empty($_SESSION['lastscript'])) {
 					$lastscript = $_SESSION['lastscript'];
 					unset($_SESSION['lastscript']);
 					if (preg_match("/customer\_/", $lastscript) === 1) {
@@ -770,7 +775,7 @@ function finishLogin($userinfo)
 				}
 			}
 		} else {
-			if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) {
+			if (!empty($_SESSION['lastscript'])) {
 				$lastscript = $_SESSION['lastscript'];
 				unset($_SESSION['lastscript']);
 				Response::redirectTo($lastscript, $qryparams);
diff --git a/lib/Froxlor/UI/Panel/UI.php b/lib/Froxlor/UI/Panel/UI.php
index 7440d70b..97e20028 100644
--- a/lib/Froxlor/UI/Panel/UI.php
+++ b/lib/Froxlor/UI/Panel/UI.php
@@ -290,7 +290,8 @@ class UI
 		];
 	}
 
-	public static function validateThemeTemplate(string $name, string $theme = "") {
+	public static function validateThemeTemplate(string $name, string $theme = "")
+	{
 		if (empty(trim($theme))) {
 			$theme = self::getTheme();
 		}
diff --git a/lib/init.php b/lib/init.php
index 254d0726..7835ef56 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -181,8 +181,10 @@ if (@file_exists('templates/' . $theme . '/config.json')) {
 }
 
 // check for existence of variant in theme
-if (is_array($_themeoptions) && (!array_key_exists('variants', $_themeoptions) || !array_key_exists($themevariant,
-			$_themeoptions['variants']))) {
+if (is_array($_themeoptions) && (!array_key_exists('variants', $_themeoptions) || !array_key_exists(
+    $themevariant,
+    $_themeoptions['variants']
+))) {
 	$themevariant = "default";
 }
 
@@ -216,12 +218,11 @@ UI::twig()->addGlobal('header_logo', $header_logo);
 if (!CurrentUser::hasSession() && AREA != 'login') {
 	unset($_SESSION['userinfo']);
 	CurrentUser::setData();
-	session_destroy();
-	$params = [
-		"script" => basename($_SERVER["SCRIPT_NAME"]),
-		"qrystr" => $_SERVER["QUERY_STRING"]
+	$_SESSION = [
+		"lastscript" => basename($_SERVER["SCRIPT_NAME"]),
+		"lastqrystr" => $_SERVER["QUERY_STRING"]
 	];
-	Response::redirectTo('index.php', $params);
+	Response::redirectTo('index.php');
 	exit();
 }