From 02117680c8a3a4c7da2b10e25fc6c29fd5fa9bd2 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 15 Oct 2012 11:12:37 +0300 Subject: Partially fix #1702 --- system/libraries/Session/drivers/Session_cookie.php | 2 +- system/libraries/Session/drivers/Session_native.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index fb62c7ec4..5bb1f7aa6 100755 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -405,7 +405,7 @@ class CI_Session_cookie extends CI_Session_driver { } // Is the session current? - if (($session['last_activity'] + $this->sess_expiration) < $this->now) + if (($session['last_activity'] + $this->sess_expiration) < $this->now OR $session['last_activity'] > $this->now) { $this->sess_destroy(); return FALSE; diff --git a/system/libraries/Session/drivers/Session_native.php b/system/libraries/Session/drivers/Session_native.php index 8d5e51546..6529d4c36 100755 --- a/system/libraries/Session/drivers/Session_native.php +++ b/system/libraries/Session/drivers/Session_native.php @@ -107,7 +107,7 @@ class CI_Session_native extends CI_Session_driver { // Check session expiration, ip, and agent $now = time(); $destroy = FALSE; - if (isset($_SESSION['last_activity']) && ($_SESSION['last_activity'] + $expire) < $now) + if (isset($_SESSION['last_activity']) && (($_SESSION['last_activity'] + $expire) < $now OR $_SESSION['last_activity'] > $now)) { // Expired - destroy $destroy = TRUE; -- cgit v1.2.3-24-g4f1b From 19cd88799f27bef8d502250c86eddcd72789bdb3 Mon Sep 17 00:00:00 2001 From: GDmac Date: Tue, 16 Oct 2012 14:19:57 +0200 Subject: Session Native, respect cookie settings Respect config settings for cookie_secure and cookie_httponly Signed-off-by: GDmac --- .../libraries/Session/drivers/Session_native.php | 24 +++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_native.php b/system/libraries/Session/drivers/Session_native.php index 6529d4c36..d7b9e8410 100755 --- a/system/libraries/Session/drivers/Session_native.php +++ b/system/libraries/Session/drivers/Session_native.php @@ -55,7 +55,9 @@ class CI_Session_native extends CI_Session_driver { 'sess_time_to_update', 'cookie_prefix', 'cookie_path', - 'cookie_domain' + 'cookie_domain', + 'cookie_secure', + 'cookie_httponly' ); foreach ($prefs as $key) @@ -82,6 +84,9 @@ class CI_Session_native extends CI_Session_driver { $expire = 7200; $path = '/'; $domain = ''; + $secure = FALSE; + $http_only = FALSE; + if ($config['sess_expiration'] !== FALSE) { // Default to 2 years if expiration is "0" @@ -99,7 +104,20 @@ class CI_Session_native extends CI_Session_driver { // Use specified domain $domain = $config['cookie_domain']; } - session_set_cookie_params($config['sess_expire_on_close'] ? 0 : $expire, $path, $domain); + + if ($config['cookie_secure']) + { + // Send over SSL / HTTPS only? + $secure = $config['cookie_secure']; + } + + if ($config['cookie_httponly']) + { + // only available to HTTP(S)? + $http_only = $config['http_only']; + } + + session_set_cookie_params($config['sess_expire_on_close'] ? 0 : $expire, $path, $domain, $secure, $http_only); // Start session session_start(); @@ -189,7 +207,7 @@ class CI_Session_native extends CI_Session_driver { { // Clear session cookie $params = session_get_cookie_params(); - setcookie($name, '', time() - 42000, $params['path'], $params['domain']); + setcookie($name, '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']); unset($_COOKIE[$name]); } session_destroy(); -- cgit v1.2.3-24-g4f1b From 28616da32bcf72f37c0e61e304a1799b90ceec3f Mon Sep 17 00:00:00 2001 From: GDmac Date: Tue, 16 Oct 2012 15:01:14 +0200 Subject: Native PHP Session, don't regenerate session_id during ajax Signed-off-by: GDmac --- system/libraries/Session/drivers/Session_native.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_native.php b/system/libraries/Session/drivers/Session_native.php index d7b9e8410..fb3b638a0 100755 --- a/system/libraries/Session/drivers/Session_native.php +++ b/system/libraries/Session/drivers/Session_native.php @@ -155,8 +155,12 @@ class CI_Session_native extends CI_Session_driver { if ($config['sess_time_to_update'] && isset($_SESSION['last_activity']) && ($_SESSION['last_activity'] + $config['sess_time_to_update']) < $now) { - // Regenerate ID, but don't destroy session - $this->sess_regenerate(FALSE); + // Changing the session ID amidst a series of AJAX calls causes problems + if( ! $this->CI->input->is_ajax_request()) + { + // Regenerate ID, but don't destroy session + $this->sess_regenerate(FALSE); + } } // Set activity time -- cgit v1.2.3-24-g4f1b From f69f0e8f02815d44e218b013c8da92cebabbdcb1 Mon Sep 17 00:00:00 2001 From: Pascal Kriete Date: Tue, 16 Oct 2012 11:54:49 -0400 Subject: Updating the cookie driver to use HMAC authentication on all cookie data. Signed-off-by: Pascal Kriete --- .../libraries/Session/drivers/Session_cookie.php | 45 +++++++++++++--------- 1 file changed, 26 insertions(+), 19 deletions(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index 5bb1f7aa6..b44c8330e 100755 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -372,27 +372,31 @@ class CI_Session_cookie extends CI_Session_driver { return FALSE; } + $len = strlen($session) - 40; + + if ($len < 0) + { + log_message('debug', 'The session cookie was not signed.'); + return FALSE; + } + + // Check cookie authentication + $hmac = substr($session, $len); + $session = substr($session, 0, $len); + + if ($hmac !== hash_hmac('sha1', $session, $this->encryption_key)) + { + log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.'); + $this->sess_destroy(); + return FALSE; + } + // Check for encryption if ($this->sess_encrypt_cookie === TRUE) { // Decrypt the cookie data $session = $this->CI->encrypt->decode($session); } - else - { - // Encryption was not used, so we need to check the md5 hash in the last 32 chars - $len = strlen($session)-32; - $hash = substr($session, $len); - $session = substr($session, 0, $len); - - // Does the md5 hash match? This is to prevent manipulation of session data in userspace - if ($hash !== md5($session.$this->encryption_key)) - { - log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.'); - $this->sess_destroy(); - return FALSE; - } - } // Unserialize the session array $session = $this->_unserialize($session); @@ -658,10 +662,13 @@ class CI_Session_cookie extends CI_Session_driver { // Serialize the userdata for the cookie $cookie_data = $this->_serialize($cookie_data); - $cookie_data = ($this->sess_encrypt_cookie === TRUE) - ? $this->CI->encrypt->encode($cookie_data) - // if encryption is not used, we provide an md5 hash to prevent userside tampering - : $cookie_data.md5($cookie_data.$this->encryption_key); + if ($this->sess_encrypt_cookie === TRUE) + { + $this->CI->encrypt->encode($cookie_data); + } + + // Require message authentication + $cookie_data .= hash_hmac('sha1', $cookie_data, $this->encryption_key); $expire = ($this->sess_expire_on_close === TRUE) ? 0 : $this->sess_expiration + time(); -- cgit v1.2.3-24-g4f1b From ff5ffdf7fa3b458510a95788ac3baa6fba3178cc Mon Sep 17 00:00:00 2001 From: GDmac Date: Tue, 16 Oct 2012 19:22:12 +0200 Subject: session native, fix cookie settings Signed-off-by: GDmac --- system/libraries/Session/drivers/Session_native.php | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_native.php b/system/libraries/Session/drivers/Session_native.php index fb3b638a0..da744f39b 100755 --- a/system/libraries/Session/drivers/Session_native.php +++ b/system/libraries/Session/drivers/Session_native.php @@ -84,8 +84,8 @@ class CI_Session_native extends CI_Session_driver { $expire = 7200; $path = '/'; $domain = ''; - $secure = FALSE; - $http_only = FALSE; + $secure = (bool) $config['cookie_secure']; + $http_only = (bool) $config['cookie_httponly']; if ($config['sess_expiration'] !== FALSE) { @@ -105,18 +105,6 @@ class CI_Session_native extends CI_Session_driver { $domain = $config['cookie_domain']; } - if ($config['cookie_secure']) - { - // Send over SSL / HTTPS only? - $secure = $config['cookie_secure']; - } - - if ($config['cookie_httponly']) - { - // only available to HTTP(S)? - $http_only = $config['http_only']; - } - session_set_cookie_params($config['sess_expire_on_close'] ? 0 : $expire, $path, $domain, $secure, $http_only); // Start session -- cgit v1.2.3-24-g4f1b From 28dc2023d32e1d997e2b90052f1960f98a255d2c Mon Sep 17 00:00:00 2001 From: Pascal Kriete Date: Wed, 17 Oct 2012 11:27:29 -0400 Subject: Changing session error logging verbiage to be a little less unsettling. Signed-off-by: Pascal Kriete --- system/libraries/Session/drivers/Session_cookie.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index b44c8330e..51d94da4e 100755 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -386,7 +386,7 @@ class CI_Session_cookie extends CI_Session_driver { if ($hmac !== hash_hmac('sha1', $session, $this->encryption_key)) { - log_message('error', 'The session cookie data did not match what was expected. This could be a possible hacking attempt.'); + log_message('error', 'The session cookie data did not match what was expected.'); $this->sess_destroy(); return FALSE; } -- cgit v1.2.3-24-g4f1b From cf264e0d165647f30efdef1b2d944849bebf4c72 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 18 Oct 2012 16:14:51 +0300 Subject: Fix Session cookies not being encrypted on creation and sess_destroy() not actually deleting cookies --- system/libraries/Session/drivers/Session_cookie.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/libraries/Session/drivers') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index 51d94da4e..8617aec2d 100755 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -308,7 +308,7 @@ class CI_Session_cookie extends CI_Session_driver { } // Kill the cookie - $this->_setcookie($this->sess_cookie_name, addslashes(serialize(array())), ($this->now - 31500000), + $this->_setcookie($this->sess_cookie_name, '', ($this->now - 31500000), $this->cookie_path, $this->cookie_domain, 0); // Kill session data @@ -664,7 +664,7 @@ class CI_Session_cookie extends CI_Session_driver { if ($this->sess_encrypt_cookie === TRUE) { - $this->CI->encrypt->encode($cookie_data); + $cookie_data = $this->CI->encrypt->encode($cookie_data); } // Require message authentication -- cgit v1.2.3-24-g4f1b