Keep log of successfull login attempts

- When user logs in create extra line in log
- When same finger print is detected set old sessions as inactive

- Logout via Session expire / logout will set active to no for login session

- Logout via "/logout/" route will clear 2fa cookie only when you logout not switch back to admin account

Author: jaapmarcus

bin/v-log-user-login

@@ -0,0 +1,45 @@
+#!/bin/bash
+# info: add user login
+# options: USER IP [FINGERPRINT]
+
+# Argument definition
+user=$1
+ip=$2
+fingerprint=${3}
+
+# Includes
+source $HESTIA/func/main.sh
+source $HESTIA/conf/hestia.conf
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER IP [FINGERPRINT]'
+is_format_valid 'user' 'ip'
+is_object_valid 'user' 'USER' "$user"
+
+browser=$(echo $browser | sed -e "s/\'//g");
+
+# Generating timestamp
+time_n_date=$(date +'%T %F')
+time=$(echo "$time_n_date" |cut -f 1 -d \ )
+date=$(echo "$time_n_date" |cut -f 2 -d \ )
+
+if [ ! -f $HESTIA/data/users/$user/auth.log ]; then
+    touch  $HESTIA/data/users/$user/auth.log
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+awk -i inplace -v finger="FINGERPRINT='$fingerprint'" -v active="active='no'" '$2 == finger {$5=active}1' $HESTIA/data/users/$user/auth.log   
+
+echo "IP='$ip' FINGERPRINT='$fingerprint' DATE='$date' TIME='$time' active='yes'" >> $HESTIA/data/users/$user/auth.log
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit

bin/v-log-user-logout

@@ -0,0 +1,35 @@
+#!/bin/bash
+# info: Log User logout event
+# options: USER FINGERPRINT
+
+# Argument definition
+user=$1
+fingerprint=$2
+
+# Includes
+source $HESTIA/func/main.sh
+source $HESTIA/conf/hestia.conf
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER FINGERPRINT'
+is_format_valid 'user'
+is_object_valid 'user' 'USER' "$user"
+
+if [ ! -f $HESTIA/data/users/$user/auth.log ]; then
+    touch  $HESTIA/data/users/$user/auth.log
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+awk -i inplace -v finger="FINGERPRINT='$fingerprint'" -v active="active='no'" '$2 == finger {$5=active}1' $HESTIA/data/users/$user/auth.log 
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit

web/inc/main.php

@@ -41,6 +41,9 @@
 
 // Checking user to use session from the same IP he has been logged in
 if($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'] != '127.0.0.1'){
+    $v_user = escapeshellarg($_SESSION['user']);
+    $v_murmur = escapeshellarg($_SESSION['MURMUR']);
+    exec(HESTIA_CMD."v-log-user-logout ".$v_user." ".$v_murmur, $output, $return_var);
     session_destroy();
     session_start();
     $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
@@ -77,6 +80,9 @@
         session_destroy();
         header("Location: /login/"); 
     }else if ($_SESSION['INACTIVE_SESSION_TIMEOUT'] * 60 + $_SESSION['LAST_ACTIVITY'] < time()) {
+        $v_user = escapeshellarg($_SESSION['user']);
+        $v_murmur = escapeshellarg($_SESSION['MURMUR']);
+        exec(HESTIA_CMD."v-log-user-logout ".$v_user." ".$v_murmur, $output, $return_var);
         session_destroy();
         header("Location: /login/"); 
     }else{

web/login/index.php

@@ -117,13 +117,17 @@ function authenticate_user(){
                 // Define session user
                 $_SESSION['user'] = key($data);
                 $v_user = $_SESSION['user'];
-
+                //log successfull login attempt
+                $v_murmur = escapeshellarg($_POST['murmur']);
+                exec(HESTIA_CMD."v-log-user-login ".$v_user." ".$v_ip." ".$v_murmur, $output, $return_var);
+                
                 //rename $_SESSION['TWOFA_VALID_LENGTH'] still to be done!
                 if(empty($_COOKIE['limit2fa'] && $_SESSION['TWOFA_VALID_LENGTH'] == 1 && $data[$user]['TWOFA'] != "")){
                     setcookie('limit2fa',password_hash($data[$user]['TWOFA'].$ip.$_POST['murmur'],PASSWORD_BCRYPT),time()+60*60*24,"/");
                 };
                 $_SESSION['LAST_ACTIVITY'] = time();
-                
+                $_SESSION['MURMUR'] = $_POST['murmur'];
+                                
                 // Define language
                 $output = '';
                 exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var);

web/logout/index.php

@@ -1,13 +1,21 @@
 <?php
-
 session_start();
 
+define('HESTIA_CMD', '/usr/bin/sudo /usr/local/hestia/bin/');
+
 if (!empty($_SESSION['look'])) {
     unset($_SESSION['look']);
 } else {
+    if($_SESSION['MURMUR'] && $_SESSION['user']){
+        $v_user = escapeshellarg($_SESSION['user']);
+        $v_murmur = escapeshellarg($_SESSION['MURMUR']);
+        exec(HESTIA_CMD."v-log-user-logout ".$v_user." ".$v_murmur, $output, $return_var);
+    }
+    
     session_destroy();
+    setcookie('limit2fa','',time() - 3600,"/");
 }
-setcookie('limit2fa','',time() - 3600,"/");
+
 header("Location: /login/");
 exit;
 ?>