From 15013afa4072fa1a1024e5ac58c9a713f0451d09 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Wed, 25 Jun 2014 11:15:14 -0400 Subject: [PATCH] Better session handling fix --- airtime_mvc/application/Bootstrap.php | 4 ++++ airtime_mvc/application/controllers/LoginController.php | 3 --- airtime_mvc/application/models/Auth.php | 7 +++++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php index 74c1cd69e..cc14d7026 100644 --- a/airtime_mvc/application/Bootstrap.php +++ b/airtime_mvc/application/Bootstrap.php @@ -14,8 +14,10 @@ require_once "DateHelper.php"; require_once "OsPath.php"; require_once "Database.php"; require_once "Timezone.php"; +require_once "models/Auth.php"; require_once __DIR__.'/forms/helpers/ValidationTypes.php'; require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php'; + require_once (APPLICATION_PATH."/logging/Logging.php"); Logging::setLogPath('/var/log/airtime/zendphp.log'); @@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php"; Zend_Validate::setDefaultNamespaces("Zend"); +Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance()); + $front = Zend_Controller_Front::getInstance(); $front->registerPlugin(new RabbitMqPlugin()); diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php index 4f462478d..84af7f954 100644 --- a/airtime_mvc/application/controllers/LoginController.php +++ b/airtime_mvc/application/controllers/LoginController.php @@ -15,7 +15,6 @@ class LoginController extends Zend_Controller_Action Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA')); $auth = Zend_Auth::getInstance(); - Application_Model_Auth::pinSessionToClient($auth); if ($auth->hasIdentity()) { @@ -96,7 +95,6 @@ class LoginController extends Zend_Controller_Action public function logoutAction() { $auth = Zend_Auth::getInstance(); - Application_Model_Auth::pinSessionToClient($auth); $auth->clearIdentity(); $this->_redirect('showbuilder/index'); } @@ -189,7 +187,6 @@ class LoginController extends Zend_Controller_Action $auth->invalidateTokens($user, 'password.restore'); $zend_auth = Zend_Auth::getInstance(); - Application_Model_Auth::pinSessionToClient($zend_auth); $zend_auth->clearIdentity(); $authAdapter = Application_Model_Auth::getAuthAdapter(); diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php index 04aafff6b..b24f8c7d4 100644 --- a/airtime_mvc/application/models/Auth.php +++ b/airtime_mvc/application/models/Auth.php @@ -103,11 +103,14 @@ class Application_Model_Auth } /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between - * different copies of Airtime on the same webserver. This essentially pins this session to this hostname and client ID. + * different copies of Airtime on the same webserver. This essentially pins this session to: + * - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains + * - The remote IP of the browser - to help prevent session hijacking + * - The client ID - same reason as server hostname * @param Zend_Auth $auth Get this with Zend_Auth::getInstance(). */ public static function pinSessionToClient($auth) { - $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . Application_Model_Preference::GetClientId())); + $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $_SERVER['SERVER_NAME'] . $_SERVER['REMOTE_ADDR'] . Application_Model_Preference::GetClientId())); } }