tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Fixes #1892 - Stop session hijacking with UA check

Browse Source
This commit is contained in:
Stephen Shkardoon 2013-05-25 18:49:59 +12:00
parent 72fd984bf6
commit d6c2c2e07f
2 changed files with 48 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
control/Session.php
View File

@ -137,6 +137,24 @@ class Session {
if($data instanceof Session) $data = $data->inst_getAll(); if($data instanceof Session) $data = $data->inst_getAll();
$this->data = $data; $this->data = $data;
if (isset($_SERVER['HTTP_USER_AGENT'])) {
$ua = $_SERVER['HTTP_USER_AGENT'];
} else {
$ua = '';
}
if (isset($this->data['HTTP_USER_AGENT'])) {
if ($this->data['HTTP_USER_AGENT'] != $ua) {
// Funny business detected!
$this->inst_clearAll();
Session::destroy();
Session::start();
}
}
$this->inst_set('HTTP_USER_AGENT', $ua);
} }
/** /**

33
tests/control/SessionTest.php
View File

@ -41,6 +41,7 @@ class SessionTest extends SapphireTest {
Session::set('Test-2', 'Test-2'); Session::set('Test-2', 'Test-2');
$session = Session::get_all(); $session = Session::get_all();
unset($session['HTTP_USER_AGENT']);
$this->assertEquals($session, array('Test' => 'Test', 'Test-2' => 'Test-2')); $this->assertEquals($session, array('Test' => 'Test', 'Test-2' => 'Test-2'));
} }
@ -49,7 +50,9 @@ class SessionTest extends SapphireTest {
$s = new Session(array('something' => array('does' => 'exist'))); $s = new Session(array('something' => array('does' => 'exist')));
$s->inst_set('something.does', 'exist'); $s->inst_set('something.does', 'exist');
$this->assertEquals(array(), $s->inst_changedData()); $result = $s->inst_changedData();
unset($result['HTTP_USER_AGENT']);
$this->assertEquals(array(), $result);
} }
/** /**
@ -59,11 +62,15 @@ class SessionTest extends SapphireTest {
$s = new Session(array('something' => array('does' => 'exist'))); $s = new Session(array('something' => array('does' => 'exist')));
$s->inst_clear('something.doesnt.exist'); $s->inst_clear('something.doesnt.exist');
$this->assertEquals(array(), $s->inst_changedData()); $result = $s->inst_changedData();
unset($result['HTTP_USER_AGENT']);
$this->assertEquals(array(), $result);
$s->inst_set('something-else', 'val'); $s->inst_set('something-else', 'val');
$s->inst_clear('something-new'); $s->inst_clear('something-new');
$this->assertEquals(array('something-else' => 'val'), $s->inst_changedData()); $result = $s->inst_changedData();
unset($result['HTTP_USER_AGENT']);
$this->assertEquals(array('something-else' => 'val'), $result);
} }
/** /**
@ -73,7 +80,9 @@ class SessionTest extends SapphireTest {
$s = new Session(array('something' => array('does' => 'exist'))); $s = new Session(array('something' => array('does' => 'exist')));
$s->inst_clear('something.does'); $s->inst_clear('something.does');
$this->assertEquals(array('something' => array('does' => null)), $s->inst_changedData()); $result = $s->inst_changedData();
unset($result['HTTP_USER_AGENT']);
$this->assertEquals(array('something' => array('does' => null)), $result);
} }
public function testNonStandardPath(){ public function testNonStandardPath(){
@ -82,4 +91,20 @@ class SessionTest extends SapphireTest {
$this->assertEquals(Config::inst()->get('Session', 'store_path'), ''); $this->assertEquals(Config::inst()->get('Session', 'store_path'), '');
} }
public function testUserAgentLockout() {
// Set a user agent
$_SERVER['HTTP_USER_AGENT'] = 'Test Agent';
// Generate our session
$s = new Session(array());
$s->inst_set('val', 123);
// Change our UA
$_SERVER['HTTP_USER_AGENT'] = 'Fake Agent';
// Verify the new session reset our values
$s2 = new Session($s);
$this->assertNotEquals($s2->inst_get('val'), 123);
}
} }