[H-23] AuthMiddleware 60s validation cache bypasses ban/suspension checks

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Middleware/AuthMiddleware.php:38-45

Bug: Ban and 2FA enforcement can be delayed up to 60s after state change.

Fix: Keep cache for session-row + idle-timeout, but always run lightweight ban/suspension query.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:43pm

Resolved.

AuthMiddleware now runs a cheap ban/suspension check on the 60-second-cache fast path (src/Middleware/AuthMiddleware.php). A user whose role drops to 1 (banned) or whose suspended_until passes is kicked out on their next request, not up to 60 seconds later.

The heavy session-row / idle-timeout / 2FA-enforcement work still benefits from the 60-second cache; only the lightweight state query runs on every request. Net cost: one extra indexed SELECT per page for signed-in users.

Locking this thread.

Related Discussions

/stats now cached for 15 minutes (~300x faster on warm hits)
Important Alerts · 0 replies · 1 views
[L-4] AdminMiddleware re-queries user instead of using AuthMiddleware's validation
Security Issues · 0 replies · 1 views
[M-19] rotateSessionRecord default TTL differs from AuthMiddleware
Security Issues · 0 replies · 1 views
[H-20] checkSslStatus / updateNginxSslConfig interpolate $domain without re-validation
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy