Public/pics
2
2
Fork 2
Code Issues 6 Pull Requests Releases Wiki Activity

Tackle session errors through UserFacingException.

Browse Source
This commit is contained in:
Aaron van Geffen 2016-09-02 11:49:17 +02:00
parent e1df4678ac
commit 29030eade6
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
models/Session.php
View File

@ -15,15 +15,17 @@ class Session
// Resuming an existing session? Check what we know! // Resuming an existing session? Check what we know!
if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent'])) if (isset($_SESSION['user_id'], $_SESSION['ip_address'], $_SESSION['user_agent']))
{ {
if (isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR']) // If we're not browsing over HTTPS, protect against session hijacking.
if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR'])
{ {
$_SESSION = []; $_SESSION = [];
throw new NotAllowedException('Your session failed to validate: your IP address has changed. Please re-login and try again.'); throw new UserFacingException('Your session failed to validate: your IP address has changed. Please re-login and try again.');
} }
// Either way, require re-login if the browser identifier has changed.
elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT']) elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])
{ {
$_SESSION = []; $_SESSION = [];
throw new NotAllowedException('Your session failed to validate: your browser identifier has changed. Please re-login and try again.'); throw new UserFacingException('Your session failed to validate: your browser identifier has changed. Please re-login and try again.');
} }
} }
elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent'])) elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent']))
@ -47,7 +49,7 @@ class Session
// First, check whether the submitted token and key match the ones in storage. // First, check whether the submitted token and key match the ones in storage.
if (($method === 'post' && (!isset($_POST[$_SESSION['session_token_key']]) || $_POST[$_SESSION['session_token_key']] !== $_SESSION['session_token'])) || if (($method === 'post' && (!isset($_POST[$_SESSION['session_token_key']]) || $_POST[$_SESSION['session_token_key']] !== $_SESSION['session_token'])) ||
($method === 'get' && (!isset($_GET[$_SESSION['session_token_key']]) || $_GET[$_SESSION['session_token_key']] !== $_SESSION['session_token']))) ($method === 'get' && (!isset($_GET[$_SESSION['session_token_key']]) || $_GET[$_SESSION['session_token_key']] !== $_SESSION['session_token'])))
trigger_error('Session failed to verify (' . $method . '). Please reload the page and try again.', E_USER_ERROR); throw new UserFacingException('Session failed to verify (' . $method . '). Please reload the page and try again.');
// Check the referring site, too -- should be the same site! // Check the referring site, too -- should be the same site!
$referring_host = isset($_SERVER['HTTP_REFERER']) ? parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) : ''; $referring_host = isset($_SERVER['HTTP_REFERER']) ? parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) : '';
@ -62,7 +64,7 @@ class Session
// The referring_host must match either the base_url_host or the current_host. // The referring_host must match either the base_url_host or the current_host.
if (strtolower($referring_host) !== strtolower($base_url_host) && strtolower($referring_host) !== strtolower($current_host)) if (strtolower($referring_host) !== strtolower($base_url_host) && strtolower($referring_host) !== strtolower($current_host))
trigger_error('Invalid referring URL. Please reload the page and try again.', E_USER_ERROR); throw new UserFacingException('Invalid referring URL. Please reload the page and try again.');
} }
// All looks good from here! But you can only use this token once, so... // All looks good from here! But you can only use this token once, so...