mirror of
https://github.com/jimeh/zynapse.git
synced 2026-02-19 07:06:39 +00:00
ActiveSession now does it's validation to avoid session highjacking.
This commit is contained in:
@@ -27,4 +27,37 @@ $this->mode = "web";
|
||||
$enable_host_specific_configuration = true;
|
||||
|
||||
|
||||
|
||||
##
|
||||
# Session settings
|
||||
##
|
||||
|
||||
# session name
|
||||
# $this->session->name = "PHPSESSID";
|
||||
|
||||
# session cookie_lifetime - defined in minutes
|
||||
# $this->session->lifetime = 0;
|
||||
|
||||
# max session lifetime - defined in minutes
|
||||
# $this->session->maxlifetime = 30;
|
||||
|
||||
# php.ini setting: session.use_only_cookies
|
||||
# $this->session->use_only_cookies = false;
|
||||
|
||||
# php.ini setting: session.gc_probability
|
||||
# $this->session->gc_probability = 1;
|
||||
|
||||
# php.ini setting: session.gc_divisor
|
||||
# $this->session->gc_divisor = 100;
|
||||
|
||||
# php.ini setting: session.cache_limiter
|
||||
# $this->session->cache_limiter = "nocache";
|
||||
|
||||
# session security features
|
||||
# 0 = no extra security features
|
||||
# 1 = user agent string is verified
|
||||
# 2 = user agent string, and client ip address are verified
|
||||
# $this->session->security = 1;
|
||||
|
||||
|
||||
?>
|
||||
3
vendor/zynapse/action_environment.php
vendored
3
vendor/zynapse/action_environment.php
vendored
@@ -40,6 +40,9 @@ class ActionEnvironment {
|
||||
$mode,
|
||||
$root,
|
||||
|
||||
# Components
|
||||
$session,
|
||||
|
||||
# Misc.
|
||||
$is_windows,
|
||||
$path_separator;
|
||||
|
||||
78
vendor/zynapse/active_session.php
vendored
78
vendor/zynapse/active_session.php
vendored
@@ -48,7 +48,39 @@ class ActiveSession {
|
||||
$key = '____active_session_verification_data____',
|
||||
|
||||
# Session class has been started?
|
||||
$started = false;
|
||||
$started = false,
|
||||
|
||||
|
||||
##
|
||||
# PHP Session settings
|
||||
##
|
||||
|
||||
# session name
|
||||
$name = "PHPSESSID",
|
||||
|
||||
# session cookie_lifetime - defined in minutes
|
||||
$lifetime = 0,
|
||||
|
||||
# max session lifetime - defined in minutes
|
||||
$maxlifetime = 30,
|
||||
|
||||
# php.ini setting: session.use_only_cookies
|
||||
$use_only_cookies = false,
|
||||
|
||||
# php.ini setting: session.gc_probability
|
||||
$gc_probability = 1,
|
||||
|
||||
# php.ini setting: session.gc_divisor
|
||||
$gc_divisor = 100,
|
||||
|
||||
# php.ini setting: session.cache_limiter
|
||||
$cache_limiter = "nocache",
|
||||
|
||||
# session security features
|
||||
# 0 = no extra security features
|
||||
# 1 = user agent string is verified
|
||||
# 2 = user agent string, and client ip address are verified
|
||||
$security = 1;
|
||||
|
||||
|
||||
function __construct () {
|
||||
@@ -61,10 +93,54 @@ class ActiveSession {
|
||||
|
||||
function init () {
|
||||
//TODO validate and init zynapse's session features
|
||||
$this->ini_setup();
|
||||
$this->validate();
|
||||
$this->id = session_id();
|
||||
$this->started = true;
|
||||
}
|
||||
|
||||
function validate () {
|
||||
if ( isset($_SESSION[$this->key]) && count($_SESSION[$this->key]) ) {
|
||||
$valid = true;
|
||||
if ( $this->security > 0 ) {
|
||||
if ( !isset($_SESSION[$this->key]['user_agent']) || $_SESSION[$this->key]['user_agent'] != $this->user_agent ) {
|
||||
$valid = false;
|
||||
}
|
||||
}
|
||||
if ( $this->security > 1 ) {
|
||||
if ( !$this->is_aol_host() && (!isset($_SESSION[$this->key]['ip']) || $_SESSION[$this->key]['ip'] != $this->ip) ) {
|
||||
$valid = false;
|
||||
}
|
||||
}
|
||||
if ( !$valid ) {
|
||||
$_SESSION = array();
|
||||
$this->validate();
|
||||
}
|
||||
} else {
|
||||
$_SESSION[$this->key] = array(
|
||||
'user_agent' => $this->user_agent,
|
||||
'ip' => $this->ip,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
function is_aol_host () {
|
||||
if ( stristr($this->user_agent, 'AOL') || preg_match('/proxy\.aol\.com$/i', gethostbyaddr($this->ip)) ) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
function ini_setup () {
|
||||
ini_set('session.name', $this->name);
|
||||
ini_set('session.cookie_lifetime', $this->lifetime);
|
||||
ini_set('session.gc_maxlifetime', $this->maxlifetime);
|
||||
ini_set('session.use_only_cookies', $this->use_only_cookies);
|
||||
ini_set('session.gc_probability', $this->gc_probability);
|
||||
ini_set('session.gc_divisor', $this->gc_divisor);
|
||||
ini_set('session.cache_limiter', $this->cache_limiter);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
9
vendor/zynapse/zynapse.php
vendored
9
vendor/zynapse/zynapse.php
vendored
@@ -53,14 +53,15 @@ class Zynapse {
|
||||
// Enable PHP sessions
|
||||
ActiveSession::start();
|
||||
|
||||
// Init the environment system (ActionEnvironment)
|
||||
self::$env = new ActionEnvironment();
|
||||
self::$env->init();
|
||||
|
||||
// Init the session control system (ActiveSession)
|
||||
self::$session = new ActiveSession();
|
||||
self::$session->init();
|
||||
|
||||
// Init the environment system (ActionEnvironment)
|
||||
self::$env = new ActionEnvironment();
|
||||
self::$env->session =& self::$session;
|
||||
self::$env->init();
|
||||
|
||||
// Init the core controller system (ActionBase)
|
||||
self::$base = new ActionBase();
|
||||
self::$base->init();
|
||||
|
||||
Reference in New Issue
Block a user