API Add option to disable user-agent header session validation

This commit is contained in:
Maxime Rainville 2019-08-06 22:00:01 +12:00
parent 4268db069d
commit 4380d7d155
3 changed files with 47 additions and 2 deletions

View File

@ -110,6 +110,19 @@ SilverStripe\Control\Session:
This uses the session_name `SECSESSID` for `https` connections instead of the default `PHPSESSID`. Doing so adds an extra layer of security to your session cookie since you no longer share `http` and `https` sessions. This uses the session_name `SECSESSID` for `https` connections instead of the default `PHPSESSID`. Doing so adds an extra layer of security to your session cookie since you no longer share `http` and `https` sessions.
## Relaxing checks around user agent strings
Out of the box, SilverStripe will invalidate a user's session if the `User-Agent` header changes. This provides some supplemental protection against session high-jacking attacks.
It is possible to disable the user agent header session validation. However, it is not recommended.
To disable the user agent session check, add the following code snippet to your project's YML configuration.
```yml
SilverStripe\Control\Session:
strict_user_agent_check: false
```
## API Documentation ## API Documentation

View File

@ -144,6 +144,14 @@ class Session
*/ */
private static $sessionCacheLimiter = ''; private static $sessionCacheLimiter = '';
/**
* Invalidate the session if user agent header changes between request. Defaults to true. Disabling this checks is
* not recommended.
* @var bool
* @config
*/
private static $strict_user_agent_check = true;
/** /**
* Session data. * Session data.
* Will be null if session has not been started * Will be null if session has not been started
@ -223,7 +231,7 @@ class Session
} }
// Funny business detected! // Funny business detected!
if (isset($this->data['HTTP_USER_AGENT'])) { if (self::config()->get('strict_user_agent_check') && isset($this->data['HTTP_USER_AGENT'])) {
if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) { if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) {
$this->clearAll(); $this->clearAll();
$this->destroy(); $this->destroy();

View File

@ -285,7 +285,31 @@ class SessionTest extends SapphireTest
// Verify the new session reset our values // Verify the new session reset our values
$s2 = new Session($s); $s2 = new Session($s);
$s2->init($req2); $s2->init($req2);
$this->assertNotEquals($s2->get('val'), 123); $this->assertEmpty($s2->get('val'));
}
public function testDisabledUserAgentLockout()
{
Session::config()->set('strict_user_agent_check', false);
// Set a user agent
$req1 = new HTTPRequest('GET', '/');
$req1->addHeader('User-Agent', 'Test Agent');
// Generate our session
$s = new Session([]);
$s->init($req1);
$s->set('val', 123);
$s->finalize($req1);
// Change our UA
$req2 = new HTTPRequest('GET', '/');
$req2->addHeader('User-Agent', 'Fake Agent');
// Verify the new session reset our values
$s2 = new Session($s);
$s2->init($req2);
$this->assertEquals($s2->get('val'), 123);
} }
public function testSave() public function testSave()