From cee1faf0827a2c82ea49339f65c8a42cff2d1b5d Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 15 Jan 2022 20:54:56 +0000
Subject: [PATCH] Add extension key cookie to login. Add support for storing
 the php session id in DB so we can access it (without passing the session ID
 over a cross-domain query).

---
 login.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/login.php b/login.php
index 514def06..f0abe294 100644
--- a/login.php
+++ b/login.php
@@ -45,13 +45,24 @@ if(isset($_POST['login'])){
     $user_name = $row['user_name'];
     $user_id = $row['user_id'];
 
-    //Setup encryption session key
+    // Setup encryption session key
     if(isset($row['user_specific_encryption_ciphertext'])){
         $user_encryption_ciphertext = $row['user_specific_encryption_ciphertext'];
         $site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
         generateUserSessionKey($site_encryption_master_key);
     }
 
+    // Setup extension
+    if(isset($row['user_extension_key']) && !empty($row['user_extension_key'])){
+        // Extension cookie
+        setcookie("user_extension_key", "$row[user_extension_key]", ['path' => '/','secure' => true,'httponly' => true,'samesite' => 'None']);
+
+        // Set PHP session in DB so we can access the session encryption data (above)
+        $user_php_session = session_id();
+        mysqli_query($mysqli, "UPDATE users SET user_php_session = '$user_php_session' WHERE user_id = '$user_id'");
+
+    }
+
     if(empty($token)){
       $_SESSION['logged'] = TRUE;
       mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id");