Merge pull request #9170 from open-sausages/pulls/4/add-option-to-disable-user-agent-session-check

API Add option to disable user-agent header session validation
This commit is contained in:
Guy Marriott 2019-08-08 11:47:07 +12:00 committed by GitHub
commit f3132c89d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 47 additions and 2 deletions

View File

@ -110,6 +110,19 @@ SilverStripe\Control\Session:
This uses the session_name `SECSESSID` for `https` connections instead of the default `PHPSESSID`. Doing so adds an extra layer of security to your session cookie since you no longer share `http` and `https` sessions. This uses the session_name `SECSESSID` for `https` connections instead of the default `PHPSESSID`. Doing so adds an extra layer of security to your session cookie since you no longer share `http` and `https` sessions.
## Relaxing checks around user agent strings
Out of the box, SilverStripe will invalidate a user's session if the `User-Agent` header changes. This provides some supplemental protection against session high-jacking attacks.
It is possible to disable the user agent header session validation. However, it is not recommended.
To disable the user agent session check, add the following code snippet to your project's YML configuration.
```yml
SilverStripe\Control\Session:
strict_user_agent_check: false
```
## API Documentation ## API Documentation

View File

@ -144,6 +144,14 @@ class Session
*/ */
private static $sessionCacheLimiter = ''; private static $sessionCacheLimiter = '';
/**
* Invalidate the session if user agent header changes between request. Defaults to true. Disabling this checks is
* not recommended.
* @var bool
* @config
*/
private static $strict_user_agent_check = true;
/** /**
* Session data. * Session data.
* Will be null if session has not been started * Will be null if session has not been started
@ -223,7 +231,7 @@ class Session
} }
// Funny business detected! // Funny business detected!
if (isset($this->data['HTTP_USER_AGENT'])) { if (self::config()->get('strict_user_agent_check') && isset($this->data['HTTP_USER_AGENT'])) {
if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) { if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) {
$this->clearAll(); $this->clearAll();
$this->destroy(); $this->destroy();

View File

@ -285,7 +285,31 @@ class SessionTest extends SapphireTest
// Verify the new session reset our values // Verify the new session reset our values
$s2 = new Session($s); $s2 = new Session($s);
$s2->init($req2); $s2->init($req2);
$this->assertNotEquals($s2->get('val'), 123); $this->assertEmpty($s2->get('val'));
}
public function testDisabledUserAgentLockout()
{
Session::config()->set('strict_user_agent_check', false);
// Set a user agent
$req1 = new HTTPRequest('GET', '/');
$req1->addHeader('User-Agent', 'Test Agent');
// Generate our session
$s = new Session([]);
$s->init($req1);
$s->set('val', 123);
$s->finalize($req1);
// Change our UA
$req2 = new HTTPRequest('GET', '/');
$req2->addHeader('User-Agent', 'Fake Agent');
// Verify the new session reset our values
$s2 = new Session($s);
$s2->init($req2);
$this->assertEquals($s2->get('val'), 123);
} }
public function testSave() public function testSave()