Session pinning fix

Albert Santoni · Albert Santoni · commit 9d1e4e023726 · 2014-07-15T08:57:17.000-04:00
diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php
@@ -14,8 +14,10 @@
 require_once "OsPath.php";
 require_once "Database.php";
 require_once "Timezone.php";
+require_once "Auth.php";
 require_once __DIR__.'/forms/helpers/ValidationTypes.php';
 require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
+ 
 
 require_once (APPLICATION_PATH."/logging/Logging.php");
 Logging::setLogPath('/var/log/airtime/zendphp.log');
@@ -25,6 +27,8 @@
 
 Zend_Validate::setDefaultNamespaces("Zend");
 
+Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
+
 $front = Zend_Controller_Front::getInstance();
 $front->registerPlugin(new RabbitMqPlugin());
 
diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php
@@ -14,9 +14,10 @@ public function indexAction()
         $request = $this->getRequest();
         
         Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
-        if (Zend_Auth::getInstance()->hasIdentity())
+        $auth = Zend_Auth::getInstance();
+        
+        if ($auth->hasIdentity())
         {
-
             $this->_redirect('Showbuilder');
         }
 
@@ -52,8 +53,7 @@ public function indexAction()
                     //pass to the adapter the submitted username and password
                     $authAdapter->setIdentity($username)
                                 ->setCredential($password);
-
-                    $auth = Zend_Auth::getInstance();
+                    
                     $result = $auth->authenticate($authAdapter);
                     if ($result->isValid()) {
                         //all info about this user from the login table omit only the password
@@ -66,14 +66,12 @@ public function indexAction()
                         Application_Model_LoginAttempts::resetAttempts($_SERVER['REMOTE_ADDR']);
                         Application_Model_Subjects::resetLoginAttempts($username);
 
-                        $tempSess = new Zend_Session_Namespace("referrer");
-                        $tempSess->referrer = 'login';
-                        
                         //set the user locale in case user changed it in when logging in
                         Application_Model_Preference::SetUserLocale($locale);
 
                         $this->_redirect('Showbuilder');
                     } else {
+
                         $message = _("Wrong username or password provided. Please try again.");
                         Application_Model_Subjects::increaseLoginAttempts($username);
                         Application_Model_LoginAttempts::increaseAttempts($_SERVER['REMOTE_ADDR']);
@@ -96,7 +94,8 @@ public function indexAction()
 
     public function logoutAction()
     {
-        Zend_Auth::getInstance()->clearIdentity();
+        $auth = Zend_Auth::getInstance();
+        $auth->clearIdentity();
         $this->_redirect('showbuilder/index');
     }
 
diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
@@ -109,9 +109,9 @@ public function getErrorPage()
     public function preDispatch(Zend_Controller_Request_Abstract $request)
     {
         $controller = strtolower($request->getControllerName());
+        Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
 
         if (in_array($controller, array("api", "auth", "locale"))) {
-
             $this->setRoleName("G");
         } elseif (!Zend_Auth::getInstance()->hasIdentity()) {
 
diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php
@@ -101,4 +101,18 @@ final public function generateRandomString($length = 12, $allowed_chars = 'abcde
 
         return $string;
     }
+    
+    /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
+     *  different copies of Airtime on the same webserver. This essentially pins this session to:
+     *   - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
+     *   - The remote IP of the browser - to help prevent session hijacking
+     *   - The client ID - same reason as server hostname
+     * @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
+     */
+    public static function pinSessionToClient($auth)
+    {
+        $serverName = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : "";
+        $remoteAddr = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "";
+        $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $serverName . $remoteAddr . Application_Model_Preference::GetClientId()));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -109,9 +109,9 @@ public function getErrorPage()`
`109`	`109`	`public function preDispatch(Zend_Controller_Request_Abstract $request)`
`110`	`110`	`{`
`111`	`111`	`$controller = strtolower($request->getControllerName());`
	`112`	`+ Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());`
`112`	`113`
`113`	`114`	`if (in_array($controller, array("api", "auth", "locale"))) {`
`114`		`-`
`115`	`115`	`$this->setRoleName("G");`
`116`	`116`	`} elseif (!Zend_Auth::getInstance()->hasIdentity()) {`
`117`	`117`