adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-01-18 18:46:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Closes #3238, added ability to turn of check for HTTP_USER_AGENT by using Configure::write('Session.checkAgent', false); in a beforeFilter().

Browse source 
Added test for changes.

git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@5770 3807eeeb-6ff5-0310-8944-8be069107fe0
This commit is contained in:
phpnut 2007-10-17 00:40:47 +00:00
parent 74dd4b4832
commit bf273081f0
4 changed files with 58 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
app/config/core.php
View file

@ -106,14 +106,24 @@
* The table name set here should *not* include any table prefix defined elsewhere. * The table name set here should *not* include any table prefix defined elsewhere.
*/ */
Configure::write('Session.table', 'cake_sessions'); Configure::write('Session.table', 'cake_sessions');
/**
* A random string used in security hashing methods.
*/
Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
/** /**
* The name of CakePHP's session cookie. * The name of CakePHP's session cookie.
*/ */
Configure::write('Session.cookie', 'CAKEPHP'); Configure::write('Session.cookie', 'CAKEPHP');
/**
* Session time out time (in seconds).
* Actual value depends on 'Security.level' setting.
*/
Configure::write('Session.timeout', '120');
/**
* If set to false, sessions are not automatically started.
*/
Configure::write('Session.start', true);
/**
* When set to false, HTTP_USER_AGENT will not be checked
* in the session
*/
Configure::write('Session.checkAgent', true);
/** /**
* The level of CakePHP security. The session timeout time defined * The level of CakePHP security. The session timeout time defined
* in 'Session.timeout' is multiplied according to the settings here. * in 'Session.timeout' is multiplied according to the settings here.
@ -128,10 +138,9 @@
*/ */
Configure::write('Security.level', 'high'); Configure::write('Security.level', 'high');
/** /**
* Session time out time (in seconds). * A random string used in security hashing methods.
* Actual value depends on 'Security.level' setting.
*/ */
Configure::write('Session.timeout', '120'); Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
/** /**
* Compress CSS output by removing comments, whitespace, repeating tags, etc. * Compress CSS output by removing comments, whitespace, repeating tags, etc.
* This requires a/var/cache directory to be writable by the web server for caching. * This requires a/var/cache directory to be writable by the web server for caching.
@ -139,10 +148,6 @@
* To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag(). * To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag().
*/ */
define('COMPRESS_CSS', false); define('COMPRESS_CSS', false);
/**
* If set to false, sessions are not automatically started.
*/
Configure::write('Session.start', true);
/** /**
* The classname and database used in CakePHP's * The classname and database used in CakePHP's
* access control lists. * access control lists.

27
cake/console/libs/templates/skel/config/core.php
View file

@ -106,14 +106,24 @@
* The table name set here should *not* include any table prefix defined elsewhere. * The table name set here should *not* include any table prefix defined elsewhere.
*/ */
Configure::write('Session.table', 'cake_sessions'); Configure::write('Session.table', 'cake_sessions');
/**
* A random string used in security hashing methods.
*/
Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
/** /**
* The name of CakePHP's session cookie. * The name of CakePHP's session cookie.
*/ */
Configure::write('Session.cookie', 'CAKEPHP'); Configure::write('Session.cookie', 'CAKEPHP');
/**
* Session time out time (in seconds).
* Actual value depends on 'Security.level' setting.
*/
Configure::write('Session.timeout', '120');
/**
* If set to false, sessions are not automatically started.
*/
Configure::write('Session.start', true);
/**
* When set to false, HTTP_USER_AGENT will not be checked
* in the session
*/
Configure::write('Session.checkAgent', true);
/** /**
* The level of CakePHP security. The session timeout time defined * The level of CakePHP security. The session timeout time defined
* in 'Session.timeout' is multiplied according to the settings here. * in 'Session.timeout' is multiplied according to the settings here.
@ -128,10 +138,9 @@
*/ */
Configure::write('Security.level', 'high'); Configure::write('Security.level', 'high');
/** /**
* Session time out time (in seconds). * A random string used in security hashing methods.
* Actual value depends on 'Security.level' setting.
*/ */
Configure::write('Session.timeout', '120'); Configure::write('Security.salt', 'DYhG93b0qyJfIxfs2guVoUubWwvniR2G0FgaC9mi');
/** /**
* Compress CSS output by removing comments, whitespace, repeating tags, etc. * Compress CSS output by removing comments, whitespace, repeating tags, etc.
* This requires a/var/cache directory to be writable by the web server for caching. * This requires a/var/cache directory to be writable by the web server for caching.
@ -139,10 +148,6 @@
* To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag(). * To use, prefix the CSS link URL with '/ccss/' instead of '/css/' or use Controller::cssTag().
*/ */
define('COMPRESS_CSS', false); define('COMPRESS_CSS', false);
/**
* If set to false, sessions are not automatically started.
*/
Configure::write('Session.start', true);
/** /**
* The classname and database used in CakePHP's * The classname and database used in CakePHP's
* access control lists. * access control lists.

24
cake/libs/session.php
View file

@ -64,7 +64,7 @@ class CakeSession extends Object {
* @var string * @var string
* @access protected * @access protected
*/ */
var $_userAgent = false; var $_userAgent = '';
/** /**
* Path to where the session is active. * Path to where the session is active.
* *
@ -115,15 +115,14 @@ class CakeSession extends Object {
* @access public * @access public
*/ */
function __construct($base = null, $start = true) { function __construct($base = null, $start = true) {
if (Configure::read('Session.save') === 'database' && !class_exists('ConnectionManager')) { if (Configure::read('Session.save') === 'database' && !class_exists('ConnectionManager')) {
uses('model' . DS . 'connection_manager'); uses('model' . DS . 'connection_manager');
} }
if (env('HTTP_USER_AGENT') != null) { if (Configure::read('Session.checkAgent') === true) {
$this->_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt')); if (env('HTTP_USER_AGENT') != null) {
} else { $this->_userAgent = md5(env('HTTP_USER_AGENT') . Configure::read('Security.salt'));
$this->_userAgent = ""; }
} }
$this->time = time(); $this->time = time();
@ -268,8 +267,10 @@ class CakeSession extends Object {
*/ */
function valid() { function valid() {
if ($this->read('Config')) { if ($this->read('Config')) {
if ($this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) { if (Configure::read('Session.checkAgent') === false || $this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
$this->valid = true; if ($this->error === false) {
$this->valid = true;
}
} else { } else {
$this->valid = false; $this->valid = false;
$this->__setError(1, "Session Highjacking Attempted !!!"); $this->__setError(1, "Session Highjacking Attempted !!!");
@ -401,6 +402,9 @@ class CakeSession extends Object {
break; break;
case 'medium': case 'medium':
$this->cookieLifeTime = 7 * 86400; $this->cookieLifeTime = 7 * 86400;
if (function_exists('ini_set')) {
ini_set('session.referer_check', $this->host);
}
break; break;
case 'low': case 'low':
default: default:
@ -489,13 +493,13 @@ class CakeSession extends Object {
*/ */
function __checkValid() { function __checkValid() {
if ($this->read('Config')) { if ($this->read('Config')) {
if ($this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) { if (Configure::read('Session.checkAgent') === false || $this->_userAgent == $this->read("Config.userAgent") && $this->time <= $this->read("Config.time")) {
$this->write("Config.time", $this->sessionTime); $this->write("Config.time", $this->sessionTime);
$this->valid = true; $this->valid = true;
} else { } else {
$this->destroy();
$this->valid = false; $this->valid = false;
$this->__setError(1, "Session Highjacking Attempted !!!"); $this->__setError(1, "Session Highjacking Attempted !!!");
$this->destroy();
} }
} else { } else {
srand ((double)microtime() * 1000000); srand ((double)microtime() * 1000000);

12
cake/tests/cases/libs/session.test.php
View file

@ -88,6 +88,18 @@ class SessionTest extends UnitTestCase {
$this->assertEqual($this->Session->read('SessionTestCase'), null); $this->assertEqual($this->Session->read('SessionTestCase'), null);
} }
function testCheckUserAgentFalse() {
Configure::write('Session.checkAgent', false);
$this->Session->_userAgent = md5('http://randomdomainname.com' . Configure::read('Security.salt'));
$this->assertTrue($this->Session->valid());
}
function testCheckUserAgentTrue() {
Configure::write('Session.checkAgent', true);
$this->Session->_userAgent = md5('http://randomdomainname.com' . Configure::read('Security.salt'));
$this->assertFalse($this->Session->valid());
}
function tearDown() { function tearDown() {
$this->Session->del('SessionTestCase'); $this->Session->del('SessionTestCase');
unset($this->Session); unset($this->Session);