From 29030eade66f2f5163e1c348f240349b5a3b989f Mon Sep 17 00:00:00 2001 From: Aaron van Geffen Date: Fri, 2 Sep 2016 11:49:17 +0200 Subject: [PATCH] Tackle session errors through UserFacingException. --- models/Session.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/models/Session.php b/models/Session.php index 13b38dcc..648439e0 100644 --- a/models/Session.php +++ b/models/Session.php @@ -15,15 +15,17 @@ class Session // Resuming an existing session? Check what we know! if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent'])) { - if (isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) + // If we're not browsing over HTTPS, protect against session hijacking. + if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) { $_SESSION = []; - throw new NotAllowedException('Your session failed to validate: your IP address has changed. Please re-login and try again.'); + throw new UserFacingException('Your session failed to validate: your IP address has changed. Please re-login and try again.'); } + // Either way, require re-login if the browser identifier has changed. elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) { $_SESSION = []; - throw new NotAllowedException('Your session failed to validate: your browser identifier has changed. Please re-login and try again.'); + throw new UserFacingException('Your session failed to validate: your browser identifier has changed. Please re-login and try again.'); } } elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent'])) @@ -47,7 +49,7 @@ class Session // First, check whether the submitted token and key match the ones in storage. if (($method === 'post' && (!isset($_POST[$_SESSION['session_token_key']]) || $_POST[$_SESSION['session_token_key']] !== $_SESSION['session_token'])) || ($method === 'get' && (!isset($_GET[$_SESSION['session_token_key']]) || $_GET[$_SESSION['session_token_key']] !== $_SESSION['session_token']))) - trigger_error('Session failed to verify (' . $method . '). Please reload the page and try again.', E_USER_ERROR); + throw new UserFacingException('Session failed to verify (' . $method . '). Please reload the page and try again.'); // Check the referring site, too -- should be the same site! $referring_host = isset($_SERVER['HTTP_REFERER']) ? parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) : ''; @@ -62,7 +64,7 @@ class Session // The referring_host must match either the base_url_host or the current_host. if (strtolower($referring_host) !== strtolower($base_url_host) && strtolower($referring_host) !== strtolower($current_host)) - trigger_error('Invalid referring URL. Please reload the page and try again.', E_USER_ERROR); + throw new UserFacingException('Invalid referring URL. Please reload the page and try again.'); } // All looks good from here! But you can only use this token once, so...