Better session handling fix

This commit is contained in:
Albert Santoni 2014-06-25 11:15:14 -04:00
parent a2bef67d33
commit 15013afa40
3 changed files with 9 additions and 5 deletions

View File

@ -14,8 +14,10 @@ require_once "DateHelper.php";
require_once "OsPath.php";
require_once "Database.php";
require_once "Timezone.php";
require_once "models/Auth.php";
require_once __DIR__.'/forms/helpers/ValidationTypes.php';
require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
require_once (APPLICATION_PATH."/logging/Logging.php");
Logging::setLogPath('/var/log/airtime/zendphp.log');
@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php";
Zend_Validate::setDefaultNamespaces("Zend");
Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
$front = Zend_Controller_Front::getInstance();
$front->registerPlugin(new RabbitMqPlugin());

View File

@ -15,7 +15,6 @@ class LoginController extends Zend_Controller_Action
Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
$auth = Zend_Auth::getInstance();
Application_Model_Auth::pinSessionToClient($auth);
if ($auth->hasIdentity())
{
@ -96,7 +95,6 @@ class LoginController extends Zend_Controller_Action
public function logoutAction()
{
$auth = Zend_Auth::getInstance();
Application_Model_Auth::pinSessionToClient($auth);
$auth->clearIdentity();
$this->_redirect('showbuilder/index');
}
@ -189,7 +187,6 @@ class LoginController extends Zend_Controller_Action
$auth->invalidateTokens($user, 'password.restore');
$zend_auth = Zend_Auth::getInstance();
Application_Model_Auth::pinSessionToClient($zend_auth);
$zend_auth->clearIdentity();
$authAdapter = Application_Model_Auth::getAuthAdapter();

View File

@ -103,11 +103,14 @@ class Application_Model_Auth
}
/** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
* different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID.
* different copies of Airtime on the same webserver. This essentially pins this session to:
* - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
* - The remote IP of the browser - to help prevent session hijacking
* - The client ID - same reason as server hostname
* @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
*/
public static function pinSessionToClient($auth)
{
$auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId()));
$auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId()));
}
}