Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Better session handling fix

This commit is contained in:
Albert Santoni 2014-06-25 11:15:14 -04:00
parent a2bef67d33
commit 15013afa40
3 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
airtime_mvc/application/Bootstrap.php
View File

@ -14,8 +14,10 @@ require_once "DateHelper.php";
require_once "OsPath.php"; require_once "OsPath.php";
require_once "Database.php"; require_once "Database.php";
require_once "Timezone.php"; require_once "Timezone.php";
require_once "models/Auth.php";
require_once __DIR__.'/forms/helpers/ValidationTypes.php'; require_once __DIR__.'/forms/helpers/ValidationTypes.php';
require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php'; require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
require_once (APPLICATION_PATH."/logging/Logging.php"); require_once (APPLICATION_PATH."/logging/Logging.php");
Logging::setLogPath('/var/log/airtime/zendphp.log'); Logging::setLogPath('/var/log/airtime/zendphp.log');
@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php";
Zend_Validate::setDefaultNamespaces("Zend"); Zend_Validate::setDefaultNamespaces("Zend");
Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
$front = Zend_Controller_Front::getInstance(); $front = Zend_Controller_Front::getInstance();
$front->registerPlugin(new RabbitMqPlugin()); $front->registerPlugin(new RabbitMqPlugin());

3
airtime_mvc/application/controllers/LoginController.php
View File

@ -15,7 +15,6 @@ class LoginController extends Zend_Controller_Action
Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA')); Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
$auth = Zend_Auth::getInstance(); $auth = Zend_Auth::getInstance();
Application_Model_Auth::pinSessionToClient($auth);
if ($auth->hasIdentity()) if ($auth->hasIdentity())
{ {
@ -96,7 +95,6 @@ class LoginController extends Zend_Controller_Action
public function logoutAction() public function logoutAction()
{ {
$auth = Zend_Auth::getInstance(); $auth = Zend_Auth::getInstance();
Application_Model_Auth::pinSessionToClient($auth);
$auth->clearIdentity(); $auth->clearIdentity();
$this->_redirect('showbuilder/index'); $this->_redirect('showbuilder/index');
} }
@ -189,7 +187,6 @@ class LoginController extends Zend_Controller_Action
$auth->invalidateTokens($user, 'password.restore'); $auth->invalidateTokens($user, 'password.restore');
$zend_auth = Zend_Auth::getInstance(); $zend_auth = Zend_Auth::getInstance();
Application_Model_Auth::pinSessionToClient($zend_auth);
$zend_auth->clearIdentity(); $zend_auth->clearIdentity();
$authAdapter = Application_Model_Auth::getAuthAdapter(); $authAdapter = Application_Model_Auth::getAuthAdapter();

7
airtime_mvc/application/models/Auth.php
View File

@ -103,11 +103,14 @@ class Application_Model_Auth
} }
/** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
* different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID. * different copies of Airtime on the same webserver. This essentially pins this session to:
* - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
* - The remote IP of the browser - to help prevent session hijacking
* - The client ID - same reason as server hostname
* @param Zend_Auth $auth Get this with Zend_Auth::getInstance(). * @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
*/ */
public static function pinSessionToClient($auth) public static function pinSessionToClient($auth)
{ {
$auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId())); $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId()));
} }
} }