Better session handling fix
This commit is contained in:
parent
a2bef67d33
commit
15013afa40
|
@ -14,8 +14,10 @@ require_once "DateHelper.php";
|
|||
require_once "OsPath.php";
|
||||
require_once "Database.php";
|
||||
require_once "Timezone.php";
|
||||
require_once "models/Auth.php";
|
||||
require_once __DIR__.'/forms/helpers/ValidationTypes.php';
|
||||
require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
|
||||
|
||||
|
||||
require_once (APPLICATION_PATH."/logging/Logging.php");
|
||||
Logging::setLogPath('/var/log/airtime/zendphp.log');
|
||||
|
@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php";
|
|||
|
||||
Zend_Validate::setDefaultNamespaces("Zend");
|
||||
|
||||
Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
|
||||
|
||||
$front = Zend_Controller_Front::getInstance();
|
||||
$front->registerPlugin(new RabbitMqPlugin());
|
||||
|
||||
|
|
|
@ -15,7 +15,6 @@ class LoginController extends Zend_Controller_Action
|
|||
|
||||
Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
|
||||
$auth = Zend_Auth::getInstance();
|
||||
Application_Model_Auth::pinSessionToClient($auth);
|
||||
|
||||
if ($auth->hasIdentity())
|
||||
{
|
||||
|
@ -96,7 +95,6 @@ class LoginController extends Zend_Controller_Action
|
|||
public function logoutAction()
|
||||
{
|
||||
$auth = Zend_Auth::getInstance();
|
||||
Application_Model_Auth::pinSessionToClient($auth);
|
||||
$auth->clearIdentity();
|
||||
$this->_redirect('showbuilder/index');
|
||||
}
|
||||
|
@ -189,7 +187,6 @@ class LoginController extends Zend_Controller_Action
|
|||
$auth->invalidateTokens($user, 'password.restore');
|
||||
|
||||
$zend_auth = Zend_Auth::getInstance();
|
||||
Application_Model_Auth::pinSessionToClient($zend_auth);
|
||||
$zend_auth->clearIdentity();
|
||||
|
||||
$authAdapter = Application_Model_Auth::getAuthAdapter();
|
||||
|
|
|
@ -103,11 +103,14 @@ class Application_Model_Auth
|
|||
}
|
||||
|
||||
/** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
|
||||
* different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID.
|
||||
* different copies of Airtime on the same webserver. This essentially pins this session to:
|
||||
* - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
|
||||
* - The remote IP of the browser - to help prevent session hijacking
|
||||
* - The client ID - same reason as server hostname
|
||||
* @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
|
||||
*/
|
||||
public static function pinSessionToClient($auth)
|
||||
{
|
||||
$auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId()));
|
||||
$auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId()));
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue