diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2018-02-16 21:51:44 +0100 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2018-05-29 22:53:54 +0200 |
| commit | 88110550b89617dcda16441212599b8a40faa20c (patch) | |
| tree | ac1f137c96ca4df448a802a339fd7a351ce16bcd /index.php | |
| parent | 8f816d8ddfe9219e15580cef6e5c9037d1d4fd28 (diff) | |
| download | Shaarli-88110550b89617dcda16441212599b8a40faa20c.tar.gz Shaarli-88110550b89617dcda16441212599b8a40faa20c.tar.zst Shaarli-88110550b89617dcda16441212599b8a40faa20c.zip | |
Refactor client session hijacking protection
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'index.php')
| -rw-r--r-- | index.php | 14 |
1 files changed, 2 insertions, 12 deletions
| @@ -207,7 +207,7 @@ function setup_login_state($conf) | |||
| 207 | } | 207 | } |
| 208 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. | 208 | // If session does not exist on server side, or IP address has changed, or session has expired, logout. |
| 209 | if (empty($_SESSION['uid']) | 209 | if (empty($_SESSION['uid']) |
| 210 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != allIPs()) | 210 | || ($conf->get('security.session_protection_disabled') === false && $_SESSION['ip'] != client_ip_id($_SERVER)) |
| 211 | || time() >= $_SESSION['expires_on']) | 211 | || time() >= $_SESSION['expires_on']) |
| 212 | { | 212 | { |
| 213 | logout(); | 213 | logout(); |
| @@ -231,16 +231,6 @@ $userIsLoggedIn = setup_login_state($conf); | |||
| 231 | // ------------------------------------------------------------------------------------------ | 231 | // ------------------------------------------------------------------------------------------ |
| 232 | // Session management | 232 | // Session management |
| 233 | 233 | ||
| 234 | // Returns the IP address of the client (Used to prevent session cookie hijacking.) | ||
| 235 | function allIPs() | ||
| 236 | { | ||
| 237 | $ip = $_SERVER['REMOTE_ADDR']; | ||
| 238 | // Then we use more HTTP headers to prevent session hijacking from users behind the same proxy. | ||
| 239 | if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$ip.'_'.$_SERVER['HTTP_X_FORWARDED_FOR']; } | ||
| 240 | if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip=$ip.'_'.$_SERVER['HTTP_CLIENT_IP']; } | ||
| 241 | return $ip; | ||
| 242 | } | ||
| 243 | |||
| 244 | /** | 234 | /** |
| 245 | * Load user session. | 235 | * Load user session. |
| 246 | * | 236 | * |
| @@ -249,7 +239,7 @@ function allIPs() | |||
| 249 | function fillSessionInfo($conf) | 239 | function fillSessionInfo($conf) |
| 250 | { | 240 | { |
| 251 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) | 241 | $_SESSION['uid'] = sha1(uniqid('',true).'_'.mt_rand()); // Generate unique random number (different than phpsessionid) |
| 252 | $_SESSION['ip']=allIPs(); // We store IP address(es) of the client to make sure session is not hijacked. | 242 | $_SESSION['ip'] = client_ip_id($_SERVER); |
| 253 | $_SESSION['username']= $conf->get('credentials.login'); | 243 | $_SESSION['username']= $conf->get('credentials.login'); |
| 254 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. | 244 | $_SESSION['expires_on']=time()+INACTIVITY_TIMEOUT; // Set session expiration. |
| 255 | } | 245 | } |