From 15013afa4072fa1a1024e5ac58c9a713f0451d09 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Wed, 25 Jun 2014 11:15:14 -0400 Subject: [PATCH 1/3] Better session handling fix --- airtime_mvc/application/Bootstrap.php | 4 ++++ airtime_mvc/application/controllers/LoginController.php | 3 --- airtime_mvc/application/models/Auth.php | 7 +++++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php index 74c1cd69e..cc14d7026 100644 --- a/airtime_mvc/application/Bootstrap.php +++ b/airtime_mvc/application/Bootstrap.php @@ -14,8 +14,10 @@ require_once "DateHelper.php"; require_once "OsPath.php"; require_once "Database.php"; require_once "Timezone.php"; +require_once "models/Auth.php"; require_once __DIR__.'/forms/helpers/ValidationTypes.php'; require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php'; + require_once (APPLICATION_PATH."/logging/Logging.php"); Logging::setLogPath('/var/log/airtime/zendphp.log'); @@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php"; Zend_Validate::setDefaultNamespaces("Zend"); +Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance()); + $front = Zend_Controller_Front::getInstance(); $front->registerPlugin(new RabbitMqPlugin()); diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php index 4f462478d..84af7f954 100644 --- a/airtime_mvc/application/controllers/LoginController.php +++ b/airtime_mvc/application/controllers/LoginController.php @@ -15,7 +15,6 @@ class LoginController extends Zend_Controller_Action Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA')); $auth = Zend_Auth::getInstance(); - Application_Model_Auth::pinSessionToClient($auth); if ($auth->hasIdentity()) { @@ -96,7 +95,6 @@ class LoginController extends Zend_Controller_Action public function logoutAction() { $auth = Zend_Auth::getInstance(); - Application_Model_Auth::pinSessionToClient($auth); $auth->clearIdentity(); $this->_redirect('showbuilder/index'); } @@ -189,7 +187,6 @@ class LoginController extends Zend_Controller_Action $auth->invalidateTokens($user, 'password.restore'); $zend_auth = Zend_Auth::getInstance(); - Application_Model_Auth::pinSessionToClient($zend_auth); $zend_auth->clearIdentity(); $authAdapter = Application_Model_Auth::getAuthAdapter(); diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php index 04aafff6b..b24f8c7d4 100644 --- a/airtime_mvc/application/models/Auth.php +++ b/airtime_mvc/application/models/Auth.php @@ -103,11 +103,14 @@ class Application_Model_Auth } /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between - * different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID. + * different copies of Airtime on the same webserver. This essentially pins this session to: + * - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains + * - The remote IP of the browser - to help prevent session hijacking + * - The client ID - same reason as server hostname * @param Zend_Auth $auth Get this with Zend_Auth::getInstance(). */ public static function pinSessionToClient($auth) { - $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId())); + $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId())); } } From 6c11ef2769fec3955be12a9c00c6f9f78872c01f Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Wed, 25 Jun 2014 11:24:19 -0400 Subject: [PATCH 2/3] Even better fix, fixes unit tests too --- airtime_mvc/application/Bootstrap.php | 2 +- airtime_mvc/application/models/Auth.php | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php index cc14d7026..5bafe0fad 100644 --- a/airtime_mvc/application/Bootstrap.php +++ b/airtime_mvc/application/Bootstrap.php @@ -14,7 +14,7 @@ require_once "DateHelper.php"; require_once "OsPath.php"; require_once "Database.php"; require_once "Timezone.php"; -require_once "models/Auth.php"; +require_once "Auth.php"; require_once __DIR__.'/forms/helpers/ValidationTypes.php'; require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php'; diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php index b24f8c7d4..37b9cae2e 100644 --- a/airtime_mvc/application/models/Auth.php +++ b/airtime_mvc/application/models/Auth.php @@ -111,6 +111,8 @@ class Application_Model_Auth */ public static function pinSessionToClient($auth) { - $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId())); + $serverName = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : ""; + $remoteAddr = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : ""; + $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $serverName . $remoteAddr . Application_Model_Preference::GetClientId())); } } From 3b6b0f8b693d3bc738bce762a21ba9b746fbaa7c Mon Sep 17 00:00:00 2001 From: localizer Date: Wed, 2 Jul 2014 12:02:12 +0000 Subject: [PATCH 3/3] updated translation resources --- airtime_mvc/locale/az/LC_MESSAGES/airtime.mo | Bin 474 -> 474 bytes airtime_mvc/locale/az/LC_MESSAGES/airtime.po | 2 +- .../locale/de_AT/LC_MESSAGES/airtime.mo | Bin 67790 -> 67790 bytes .../locale/de_AT/LC_MESSAGES/airtime.po | 2 +- .../locale/en_GB/LC_MESSAGES/airtime.mo | Bin 62402 -> 62402 bytes .../locale/en_GB/LC_MESSAGES/airtime.po | 2 +- airtime_mvc/locale/hy/LC_MESSAGES/airtime.mo | Bin 471 -> 471 bytes airtime_mvc/locale/hy/LC_MESSAGES/airtime.po | 2 +- airtime_mvc/locale/ka/LC_MESSAGES/airtime.mo | Bin 464 -> 464 bytes airtime_mvc/locale/ka/LC_MESSAGES/airtime.po | 2 +- .../locale/pt_BR/LC_MESSAGES/airtime.mo | Bin 61980 -> 61980 bytes .../locale/pt_BR/LC_MESSAGES/airtime.po | 2 +- 12 files changed, 6 insertions(+), 6 deletions(-) diff --git a/airtime_mvc/locale/az/LC_MESSAGES/airtime.mo b/airtime_mvc/locale/az/LC_MESSAGES/airtime.mo index 8b114640cc68cfaeaa0f8cca059e6102e078f74d..7ea37474f741b47dbc2f2a95243b8e46b4577666 100644 GIT binary patch delta 21 ccmcb`e2aO)S}t>410w}PBP#>LjoXzO0ZyU@asU7T delta 21 ccmcb`e2aO)S}rqPLlXr<6DtFQjoXzO0ZzdNbpQYW diff --git a/airtime_mvc/locale/az/LC_MESSAGES/airtime.po b/airtime_mvc/locale/az/LC_MESSAGES/airtime.po index b53dce118..f37138f82 100644 --- a/airtime_mvc/locale/az/LC_MESSAGES/airtime.po +++ b/airtime_mvc/locale/az/LC_MESSAGES/airtime.po @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: Airtime\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2013-12-13 12:58-0500\n" -"PO-Revision-Date: 2014-06-14 14:00+0000\n" +"PO-Revision-Date: 2014-07-02 12:01+0000\n" "Last-Translator: Daniel James \n" "Language-Team: Azerbaijani (http://www.transifex.com/projects/p/airtime/language/az/)\n" "MIME-Version: 1.0\n" diff --git a/airtime_mvc/locale/de_AT/LC_MESSAGES/airtime.mo b/airtime_mvc/locale/de_AT/LC_MESSAGES/airtime.mo index 26d7f134785282a60c6b5686806189c6d4c31483..221ba9b4e7708678d9c79460c4aba5d442382177 100644 GIT binary patch delta 24 gcmX>%k>%V(mJJiPx# delta 24 gcmX>%k>%V(mJJi\n" "Language-Team: German (Austria) (http://www.transifex.com/projects/p/airtime/language/de_AT/)\n" "MIME-Version: 1.0\n" diff --git a/airtime_mvc/locale/en_GB/LC_MESSAGES/airtime.mo b/airtime_mvc/locale/en_GB/LC_MESSAGES/airtime.mo index 30f46f726ff3f5709b3ba9137741e6af0bfcb23e..a51c6018b8cbf9089948c6aad8caeaf535ce61fd 100644 GIT binary patch delta 24 gcmX@~ocYjm<_#0)aGL8H7%3PUSs84eHAf>H0D}|>S^xk5 delta 24 gcmX@~ocYjm<_#0)aGL2F87mkXSs8DhHAf>H0E0UTUjP6A diff --git a/airtime_mvc/locale/en_GB/LC_MESSAGES/airtime.po b/airtime_mvc/locale/en_GB/LC_MESSAGES/airtime.po index bdb700c7f..a826f1ce5 100644 --- a/airtime_mvc/locale/en_GB/LC_MESSAGES/airtime.po +++ b/airtime_mvc/locale/en_GB/LC_MESSAGES/airtime.po @@ -11,7 +11,7 @@ msgstr "" "Project-Id-Version: Airtime\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2013-12-13 12:58-0500\n" -"PO-Revision-Date: 2014-06-23 12:31+0000\n" +"PO-Revision-Date: 2014-07-02 12:01+0000\n" "Last-Translator: Andrey Podshivalov\n" "Language-Team: English (United Kingdom) (http://www.transifex.com/projects/p/airtime/language/en_GB/)\n" "MIME-Version: 1.0\n" diff --git a/airtime_mvc/locale/hy/LC_MESSAGES/airtime.mo b/airtime_mvc/locale/hy/LC_MESSAGES/airtime.mo index 62c3ca8fac4fa6b1d729b3df25d5b7d838526509..001dae0b93df9ec9c20ab1d1f92b8219a3e0fb39 100644 GIT binary patch delta 19 acmcc4e4Tm1dJZE~1w&IS1H+Bm6&L|SGzJX- delta 19 acmcc4e4Tm1dJaPa1tTLX1A~p*6&L|R-39~z diff --git a/airtime_mvc/locale/hy/LC_MESSAGES/airtime.po b/airtime_mvc/locale/hy/LC_MESSAGES/airtime.po index efb388027..17f62d28c 100644 --- a/airtime_mvc/locale/hy/LC_MESSAGES/airtime.po +++ b/airtime_mvc/locale/hy/LC_MESSAGES/airtime.po @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: Airtime\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2013-12-13 12:58-0500\n" -"PO-Revision-Date: 2014-06-10 22:00+0000\n" +"PO-Revision-Date: 2014-06-25 15:01+0000\n" "Last-Translator: Daniel James \n" "Language-Team: Armenian (http://www.transifex.com/projects/p/airtime/language/hy/)\n" "MIME-Version: 1.0\n" diff --git a/airtime_mvc/locale/ka/LC_MESSAGES/airtime.mo b/airtime_mvc/locale/ka/LC_MESSAGES/airtime.mo index be7d0012ad0edcb76da366652cecb54ae4c0a811..baa86c18702be9a04dabaaf5fe786d72c678405b 100644 GIT binary patch delta 21 ccmcb>e1UnwS}t>410w}PBP#>LjoT#|0Zje|Q~&?~ delta 21 ccmcb>e1UnwS}rqP15*V\n" "Language-Team: Georgian (http://www.transifex.com/projects/p/airtime/language/ka/)\n" "MIME-Version: 1.0\n" diff --git a/airtime_mvc/locale/pt_BR/LC_MESSAGES/airtime.mo b/airtime_mvc/locale/pt_BR/LC_MESSAGES/airtime.mo index 00735f424c766bd7fa9b908775549304bff0929e..32e0474d40d78963648ac22dce5c20301e2c9a44 100644 GIT binary patch delta 24 gcmbR9gn7;r<_#w%aGL8H7%3PUSs84;IKev+0Dsg8ivR!s delta 24 gcmbR9gn7;r<_#w%aGL2F87mkXSs8D>IKev+0Dt=lkN^Mx diff --git a/airtime_mvc/locale/pt_BR/LC_MESSAGES/airtime.po b/airtime_mvc/locale/pt_BR/LC_MESSAGES/airtime.po index f6c04739e..84929b0b1 100644 --- a/airtime_mvc/locale/pt_BR/LC_MESSAGES/airtime.po +++ b/airtime_mvc/locale/pt_BR/LC_MESSAGES/airtime.po @@ -9,7 +9,7 @@ msgstr "" "Project-Id-Version: Airtime\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2013-12-13 12:58-0500\n" -"PO-Revision-Date: 2014-06-23 12:31+0000\n" +"PO-Revision-Date: 2014-07-02 12:01+0000\n" "Last-Translator: Andrey Podshivalov\n" "Language-Team: Portuguese (Brazil) (http://www.transifex.com/projects/p/airtime/language/pt_BR/)\n" "MIME-Version: 1.0\n"