Closes #3238, added ability to turn of check for HTTP_USER_AGENT by using Configure::write('Session.checkAgent', false); in a beforeFilter().

Added test for changes. git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@5770 3807eeeb-6ff5-0310-8944-8be069107fe0
2025-01-18 18:46:17 +00:00 · 2007-10-17 00:40:47 +00:00 · 2007-10-17 00:40:47 +00:00 · bf273081f0
commit bf273081f0
parent 74dd4b4832
4 changed files with 58 additions and 32 deletions
--- a/app/config/core.php
+++ b/app/config/core.php
@ -106,14 +106,24 @@
 * The table name set here should *not* include any table prefix defined elsewhere.
 */
 	Configure::write('Session.table', 'cake_sessions');
-/**
- * A random string used in security hashing methods.
- */
-	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
 * The name of CakePHP's session cookie.
 */
 	Configure::write('Session.cookie', 'CAKEPHP');
+/**
+ * Session time out time (in seconds).
+ * Actual value depends on 'Security.level' setting.
+ */
+	Configure::write('Session.timeout', '120');
+/**
+ * If set to false, sessions are not automatically started.
+ */
+	Configure::write('Session.start', true);
+/**
+ * When set to false, HTTP_USER_AGENT will not be checked
+ * in the session
+ */
+	Configure::write('Session.checkAgent', true);
 /**
 * The level of CakePHP security. The session timeout time defined
 * in 'Session.timeout' is multiplied according to the settings here.
@ -128,10 +138,9 @@
 */
 	Configure::write('Security.level', 'high');
 /**
- * Session time out time (in seconds).
- * Actual value depends on 'Security.level' setting.
+ * A random string used in security hashing methods.
 */
-	Configure::write('Session.timeout', '120');
+	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
 * Compress CSS output by removing comments, whitespace, repeating tags, etc.
 * This requires a/var/cache directory to be writable by the web server for caching.
@ -139,10 +148,6 @@
 * To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag().
 */
 	define('COMPRESS_CSS', false);
-/**
- * If set to false, sessions are not automatically started.
- */
-	Configure::write('Session.start', true);
 /**
 * The classname and database used in CakePHP's
 * access control lists.
--- a/cake/console/libs/templates/skel/config/core.php
+++ b/cake/console/libs/templates/skel/config/core.php
@ -106,14 +106,24 @@
 * The table name set here should *not* include any table prefix defined elsewhere.
 */
 	Configure::write('Session.table', 'cake_sessions');
-/**
- * A random string used in security hashing methods.
- */
-	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
 * The name of CakePHP's session cookie.
 */
 	Configure::write('Session.cookie', 'CAKEPHP');
+/**
+ * Session time out time (in seconds).
+ * Actual value depends on 'Security.level' setting.
+ */
+	Configure::write('Session.timeout', '120');
+/**
+ * If set to false, sessions are not automatically started.
+ */
+	Configure::write('Session.start', true);
+/**
+ * When set to false, HTTP_USER_AGENT will not be checked
+ * in the session
+ */
+	Configure::write('Session.checkAgent', true);
 /**
 * The level of CakePHP security. The session timeout time defined
 * in 'Session.timeout' is multiplied according to the settings here.
@ -128,10 +138,9 @@
 */
 	Configure::write('Security.level', 'high');
 /**
- * Session time out time (in seconds).
- * Actual value depends on 'Security.level' setting.
+ * A random string used in security hashing methods.
 */
-	Configure::write('Session.timeout', '120');
+	Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
 /**
 * Compress CSS output by removing comments, whitespace, repeating tags, etc.
 * This requires a/var/cache directory to be writable by the web server for caching.
@ -139,10 +148,6 @@
 * To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag().
 */
 	define('COMPRESS_CSS', false);
-/**
- * If set to false, sessions are not automatically started.
- */
-	Configure::write('Session.start', true);
 /**
 * The classname and database used in CakePHP's
 * access control lists.
--- a/cake/libs/session.php
+++ b/cake/libs/session.php
@ -64,7 +64,7 @@ class CakeSession extends Object {
 * @var string
 * @access protected
 */
-	var $_userAgent = false;
+	var $_userAgent = '';
 /**
 * Path to where the session is active.
 *
@ -115,15 +115,14 @@ class CakeSession extends Object {
 * @access public
 */
 	function __construct($base = null, $start = true) {
-
 		if (Configure::read('Session.save') === 'database' && !class_exists('ConnectionManager')) {
 			uses('model' . DS . 'connection_manager');
 		}

-		if (env('HTTP_USER_AGENT') != null) {
-			$this->_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt'));
-		} else {
-				$this->_userAgent = "";
+		if (Configure::read('Session.checkAgent') === true) {
+			if (env('HTTP_USER_AGENT') != null) {
+				$this->_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt'));
+			}
 		}
 		$this->time = time();

@ -268,8 +267,10 @@ class CakeSession extends Object {
 */
 	function valid() {
 		if ($this->read('Config')) {
-			if ($this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
-				$this->valid = true;
+			if (Configure::read('Session.checkAgent') === false || $this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
+				if ($this->error === false) {
+					$this->valid = true;
+				}
 			} else {
 				$this->valid = false;
 				$this->__setError(1, "Session Highjacking Attempted !!!");
@ -401,6 +402,9 @@ class CakeSession extends Object {
 			break;
 			case 'medium':
 				$this->cookieLifeTime = 7 * 86400;
+				if (function_exists('ini_set')) {
+					ini_set('session.referer_check', $this->host);
+				}
 			break;
 			case 'low':
 			default:
@ -489,13 +493,13 @@ class CakeSession extends Object {
 */
 	function __checkValid() {
 		if ($this->read('Config')) {
-			if ($this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
+			if (Configure::read('Session.checkAgent') === false || $this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
 				$this->write("Config.time", $this->sessionTime);
 				$this->valid = true;
 			} else {
+				$this->destroy();
 				$this->valid = false;
 				$this->__setError(1, "Session Highjacking Attempted !!!");
-				$this->destroy();
 			}
 		} else {
 			srand ((double)microtime() * 1000000);
--- a/cake/tests/cases/libs/session.test.php
+++ b/cake/tests/cases/libs/session.test.php
@ -88,6 +88,18 @@ class SessionTest extends UnitTestCase {
 		$this->assertEqual($this->Session->read('SessionTestCase'), null);
 	}

+	function testCheckUserAgentFalse() {
+		Configure::write('Session.checkAgent', false);
+		$this->Session->_userAgent = md5('http://randomdomainname.com' . Configure::read('Security.salt'));
+		$this->assertTrue($this->Session->valid());
+	}
+
+	function testCheckUserAgentTrue() {
+		Configure::write('Session.checkAgent', true);
+		$this->Session->_userAgent = md5('http://randomdomainname.com' . Configure::read('Security.salt'));
+		$this->assertFalse($this->Session->valid());
+	}
+
 	function tearDown() {
 		$this->Session->del('SessionTestCase');
 		unset($this->Session);