Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Request #4126 Auth AdvancedSecurity patch
Submitted: 2005-04-12 10:25 UTC
From: makler Assigned: aashley
Status: Closed Package: Auth
PHP Version: Irrelevant OS: Any
Roadmaps: (Not assigned)    
Subscription  


 [2005-04-12 10:25 UTC] makler
Description: ------------ I enclose a few lines patch for two files: Auth.php and Auth/Frontend/Html.php, that makes advancedSecurity even more secure than now (expired session cookies, X-Forwarded-For: check, session cookies limited to the specified directory). I use these checks for a few years now: - a new variable $_authcookieDir would set the directory for session cookie - new check for X-Forwarded-For: HTTP header changes - a session is closed if someone from a different IP tries to hijack a login session using the same web proxy IP. (Web proxies often adds a X-Forwarded-For: header with the client original IP.) - session cookie would expire from the user browser after the 'idle' time. Up to now session cookie would not expire untill the browser is closed. The patch checks what is the time difference (timeshift) between the client computer and the server (since sometimes 'idle' time could be in the past from the client point of view - when the client clock is shifted to the future). The timeshift is added to the idle time ($this->idle + $this->session['idle']). With Set-Cookie2 this could be more secure, but IMHO PHP does not use Set-Cookie2 (?). Reproduce code: --------------- http://www.klaban.torun.pl/patches/pear/Auth-1.3.0r3-expiredcookie.diff.gz

Comments

 [2006-12-21 03:58 UTC] aashley at php dot net (Adam Ashley)
The X-FORWARDED-FOR stuff has been added to the 1.5.0 development tree. The Session timeout stuff is great in theory but doesnt work with the real world implementation of cookies. Setting a timeout changes the cookie from a session cookie to a stored cookie. Which means closing the browser the cookie is written to the disk and is still there on start up. Which kinda defeats the intended behaviour.