From 9c4280be80f1f0ad4011ca1ae4f05c89e7963bb9 Mon Sep 17 00:00:00 2001
From: Derek Allard <derek.allard@ellislab.com>
Date: Tue, 18 Mar 2008 00:01:52 +0000
Subject: added hashing to prevent client side data tampering to sessions

---
 system/libraries/Session.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'system/libraries/Session.php')

diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 2cdd50c23..afa43348e 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -196,7 +196,22 @@ class CI_Session {
 		{
 			$session = $this->CI->encrypt->decode($session);
 		}
+		else
+		{	
+			// encryption was not used, so we need to check the md5 hash
+			$hash = substr($session, strlen($session)-32); // get last 32 chars
+			$session = substr($session, 0, strlen($session)-32);
 
+			// Does the md5 hash match?  This is to prevent manipulation of session data
+			// in userspace
+			if ($hash !==  md5($session.$this->CI->config->item('encryption_key')))
+			{
+				log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.');
+				$this->sess_destroy();
+				return FALSE;
+			}
+		}
+		
 		$session = @unserialize($this->strip_slashes($session));
 		
 		if ( ! is_array($session) OR ! isset($session['last_activity']))
@@ -284,6 +299,11 @@ class CI_Session {
 		{
 			$cookie_data = $this->CI->encrypt->encode($cookie_data);
 		}
+		else
+		{
+			// if encryption is not used, we provide an md5 hash to prevent userside tampering
+			$cookie_data = $cookie_data . md5($cookie_data.$this->CI->config->item('encryption_key'));
+		}
 
 		setcookie(
 					$this->sess_cookie,
-- 
cgit v1.2.3-24-g4f1b