Fix DEV_MODE bypass to work when SESS_REMOTE_UA not set

Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>
Add isset check for DEV_MODE to prevent undefined index
2026-02-17 14:53:56 +00:00 · 2025-12-12 16:36:32 +00:00 · 2025-12-12 16:30:39 +00:00 · 2025-12-12 16:23:16 +00:00 · 2025-12-12 16:14:09 +00:00 · 2025-12-12 16:12:37 +00:00
4 changed files with 17 additions and 0 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -3397,6 +3397,8 @@ function set_user_loggedin_session($user) {
  session_regenerate_id(true);
  $_SESSION['mailcow_cc_username'] = $user;
  $_SESSION['mailcow_cc_role'] = 'user';
+  // Update User-Agent after session regeneration to prevent validation errors
+  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
  $sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
  $_SESSION['sogo-sso-user-allowed'][] = $user;
  $_SESSION['sogo-sso-pass'] = $sogo_sso_pass;
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -43,6 +43,9 @@ if (!isset($_SESSION['SESS_REMOTE_UA'])) {
 if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > $SESSION_LIFETIME)) {
  session_unset();
  session_destroy();
+  session_start();
+  // After destroying session, we need to reset the User-Agent for the new session
+  $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 }
 $_SESSION['LAST_ACTIVITY'] = time();

@@ -134,6 +137,12 @@ function session_check() {
    return true;
  }
  if (!isset($_SESSION['SESS_REMOTE_UA']) || ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT'])) {
+    // In development mode, allow User-Agent changes (e.g., for responsive testing in dev tools)
+    // Validate UA is not empty and has reasonable length (most UAs are under 200 chars, 500 is safe upper limit)
+    if (isset($GLOBALS['DEV_MODE']) && $GLOBALS['DEV_MODE'] && !empty($_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT']) < 500) {
+      $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
+      return true;
+    }
    $_SESSION['return'][] = array(
      'type' => 'warning',
      'msg' => 'session_ua'
--- a/data/web/inc/triggers.admin.inc.php
+++ b/data/web/inc/triggers.admin.inc.php
@@ -50,6 +50,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
    session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "admin";
+		// Update User-Agent after session regeneration to prevent validation errors
+		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /admin/dashboard");
    die();
 	}
--- a/data/web/inc/triggers.domainadmin.inc.php
+++ b/data/web/inc/triggers.domainadmin.inc.php
@@ -7,6 +7,8 @@ if (!empty($_GET['sso_token'])) {
    session_regenerate_id(true);
    $_SESSION['mailcow_cc_username'] = $username;
    $_SESSION['mailcow_cc_role'] = 'domainadmin';
+    // Update User-Agent after session regeneration to prevent validation errors
+    $_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
    header('Location: /domainadmin/mailbox');
  }
 }
@@ -61,6 +63,8 @@ if (isset($_POST["login_user"]) && isset($_POST["pass_user"])) {
    session_regenerate_id(true);
 		$_SESSION['mailcow_cc_username'] = $login_user;
 		$_SESSION['mailcow_cc_role'] = "domainadmin";
+		// Update User-Agent after session regeneration to prevent validation errors
+		$_SESSION['SESS_REMOTE_UA'] = $_SERVER['HTTP_USER_AGENT'];
 		header("Location: /domainadmin/mailbox");
    die();
 	}
Author	SHA1	Message	Date
copilot-swe-agent[bot]	64fe2e6d0d	Fix DEV_MODE bypass to work when SESS_REMOTE_UA not set Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 16:36:32 +00:00
copilot-swe-agent[bot]	f01ada9377	Add isset check for DEV_MODE to prevent undefined index Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 16:30:39 +00:00
copilot-swe-agent[bot]	ae6420dc80	Fix DEV_MODE access using $GLOBALS instead of global keyword Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 16:23:16 +00:00
copilot-swe-agent[bot]	a1b0004be9	Add comment explaining User-Agent length validation Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 16:14:09 +00:00
copilot-swe-agent[bot]	88376566f9	Add validation for User-Agent in DEV_MODE bypass Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 16:12:37 +00:00
copilot-swe-agent[bot]	89b4676641	Allow User-Agent changes in DEV_MODE for responsive testing Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 16:11:05 +00:00
copilot-swe-agent[bot]	a710b0e580	Fix line ending issue in functions.inc.php - preserve CRLF Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 15:59:55 +00:00
copilot-swe-agent[bot]	b3e6891802	Fix session handling - explicitly start session after destroy Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 15:53:53 +00:00
copilot-swe-agent[bot]	19225b223c	Fix User-Agent validation error after session expiry and regeneration Co-authored-by: DerLinkman <62480600+DerLinkman@users.noreply.github.com>	2025-12-12 15:51:56 +00:00
copilot-swe-agent[bot]	3e5a58be8f	Initial plan	2025-12-12 15:45:29 +00:00