mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
API Add option to disable user-agent header session validation
This commit is contained in:
parent
4268db069d
commit
4380d7d155
@ -110,6 +110,19 @@ SilverStripe\Control\Session:
|
|||||||
|
|
||||||
This uses the session_name `SECSESSID` for `https` connections instead of the default `PHPSESSID`. Doing so adds an extra layer of security to your session cookie since you no longer share `http` and `https` sessions.
|
This uses the session_name `SECSESSID` for `https` connections instead of the default `PHPSESSID`. Doing so adds an extra layer of security to your session cookie since you no longer share `http` and `https` sessions.
|
||||||
|
|
||||||
|
## Relaxing checks around user agent strings
|
||||||
|
|
||||||
|
Out of the box, SilverStripe will invalidate a user's session if the `User-Agent` header changes. This provides some supplemental protection against session high-jacking attacks.
|
||||||
|
|
||||||
|
It is possible to disable the user agent header session validation. However, it is not recommended.
|
||||||
|
|
||||||
|
To disable the user agent session check, add the following code snippet to your project's YML configuration.
|
||||||
|
|
||||||
|
```yml
|
||||||
|
SilverStripe\Control\Session:
|
||||||
|
strict_user_agent_check: false
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## API Documentation
|
## API Documentation
|
||||||
|
|
||||||
|
@ -144,6 +144,14 @@ class Session
|
|||||||
*/
|
*/
|
||||||
private static $sessionCacheLimiter = '';
|
private static $sessionCacheLimiter = '';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Invalidate the session if user agent header changes between request. Defaults to true. Disabling this checks is
|
||||||
|
* not recommended.
|
||||||
|
* @var bool
|
||||||
|
* @config
|
||||||
|
*/
|
||||||
|
private static $strict_user_agent_check = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Session data.
|
* Session data.
|
||||||
* Will be null if session has not been started
|
* Will be null if session has not been started
|
||||||
@ -223,7 +231,7 @@ class Session
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Funny business detected!
|
// Funny business detected!
|
||||||
if (isset($this->data['HTTP_USER_AGENT'])) {
|
if (self::config()->get('strict_user_agent_check') && isset($this->data['HTTP_USER_AGENT'])) {
|
||||||
if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) {
|
if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) {
|
||||||
$this->clearAll();
|
$this->clearAll();
|
||||||
$this->destroy();
|
$this->destroy();
|
||||||
|
@ -285,7 +285,31 @@ class SessionTest extends SapphireTest
|
|||||||
// Verify the new session reset our values
|
// Verify the new session reset our values
|
||||||
$s2 = new Session($s);
|
$s2 = new Session($s);
|
||||||
$s2->init($req2);
|
$s2->init($req2);
|
||||||
$this->assertNotEquals($s2->get('val'), 123);
|
$this->assertEmpty($s2->get('val'));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testDisabledUserAgentLockout()
|
||||||
|
{
|
||||||
|
Session::config()->set('strict_user_agent_check', false);
|
||||||
|
|
||||||
|
// Set a user agent
|
||||||
|
$req1 = new HTTPRequest('GET', '/');
|
||||||
|
$req1->addHeader('User-Agent', 'Test Agent');
|
||||||
|
|
||||||
|
// Generate our session
|
||||||
|
$s = new Session([]);
|
||||||
|
$s->init($req1);
|
||||||
|
$s->set('val', 123);
|
||||||
|
$s->finalize($req1);
|
||||||
|
|
||||||
|
// Change our UA
|
||||||
|
$req2 = new HTTPRequest('GET', '/');
|
||||||
|
$req2->addHeader('User-Agent', 'Fake Agent');
|
||||||
|
|
||||||
|
// Verify the new session reset our values
|
||||||
|
$s2 = new Session($s);
|
||||||
|
$s2->init($req2);
|
||||||
|
$this->assertEquals($s2->get('val'), 123);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testSave()
|
public function testSave()
|
||||||
|
Loading…
Reference in New Issue
Block a user