mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-15 03:18:26 +00:00
Adding session renewal upon login/logout.
This helps improve session security, as it reduces the opportunity of replaying a session id successfully. Fixes #836
This commit is contained in:
mark_story
parent
50a0a51f53
commit
b1dad6e5bd
2 changed files with 11 additions and 2 deletions
|
|
@ -491,7 +491,8 @@ class AuthComponent extends Component {
|
|||
/**
|
||||
* Log a user in. If a $user is provided that data will be stored as the logged in user. If `$user` is empty or not
|
||||
* specified, the request will be used to identify a user. If the identification was successful,
|
||||
* the user record is written to the session key specified in AuthComponent::$sessionKey.
|
||||
* the user record is written to the session key specified in AuthComponent::$sessionKey. Logging in
|
||||
* will also change the session id in order to help mitigate session replays.
|
||||
*
|
||||
* @param mixed $user Either an array of user data, or null to identify a user using the current request.
|
||||
* @return boolean True on login success, false on failure
|
||||
|
|
@ -504,6 +505,7 @@ class AuthComponent extends Component {
|
|||
$user = $this->identify($this->request, $this->response);
|
||||
}
|
||||
if ($user) {
|
||||
$this->Session->renew();
|
||||
$this->Session->write(self::$sessionKey, $user);
|
||||
}
|
||||
return $this->loggedIn();
|
||||
|
|
@ -513,7 +515,8 @@ class AuthComponent extends Component {
|
|||
* Logs a user out, and returns the login action to redirect to.
|
||||
* Triggers the logout() method of all the authenticate objects, so they can perform
|
||||
* custom logout logic. AuthComponent will remove the session data, so
|
||||
* there is no need to do that in an authentication object.
|
||||
* there is no need to do that in an authentication object. Logging out
|
||||
* will also renew the session id. This helps mitigate issues with session replays.
|
||||
*
|
||||
* @return string AuthComponent::$logoutRedirect
|
||||
* @see AuthComponent::$logoutRedirect
|
||||
|
|
@ -530,6 +533,7 @@ class AuthComponent extends Component {
|
|||
}
|
||||
$this->Session->delete(self::$sessionKey);
|
||||
$this->Session->delete('Auth.redirect');
|
||||
$this->Session->renew();
|
||||
return Router::normalize($this->logoutRedirect);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -385,6 +385,8 @@ class AuthComponentTest extends CakeTestCase {
|
|||
'userModel' => 'AuthUser'
|
||||
)
|
||||
);
|
||||
$this->Auth->Session = $this->getMock('SessionComponent', array('renew'), array(), '', false);
|
||||
|
||||
$mocks = $this->Auth->constructAuthenticate();
|
||||
$this->mockObjects[] = $mocks[0];
|
||||
|
||||
|
|
@ -405,6 +407,9 @@ class AuthComponentTest extends CakeTestCase {
|
|||
->with($this->Auth->request)
|
||||
->will($this->returnValue($user));
|
||||
|
||||
$this->Auth->Session->expects($this->once())
|
||||
->method('renew');
|
||||
|
||||
$result = $this->Auth->login();
|
||||
$this->assertTrue($result);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue