From: Andreas Gohr Date: Tue, 24 Jan 2006 13:26:14 +0000 (+0100) Subject: changed session hijack test X-Git-Tag: 0.7.1~96 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3e225512d6ed1cf3d04570242af51fc5e731205e;p=contagged changed session hijack test darcs-hash:20060124132614-6e07b-8c8422d0bdb990667df0e0181fb0d526e9d41378.gz --- diff --git a/functions.php b/functions.php index 4ccaae5..74170a0 100644 --- a/functions.php +++ b/functions.php @@ -16,10 +16,10 @@ function ldap_login(){ global $conf; if(!empty($_SESSION['ldapab']['username'])){ // existing session! Check if valid - if($_COOKIE['ldapabconid'] != $_SESSION['ldapab']['conid']){ + if($_SESSION['ldapab']['browserid'] != auth_browseruid()){ //session hijacking detected - header('Location: login.php?username='); - exit; + header('Location: login.php?username='); + exit; } } elseif ($conf['httpd_auth'] && !empty($_SERVER['PHP_AUTH_USER'])) { // use HTTP auth if wanted and possible @@ -92,6 +92,28 @@ function do_ldap_bind($user,$pass,$dn=""){ return false; } +/** + * Builds a pseudo UID from browser and IP data + * + * This is neither unique nor unfakable - still it adds some + * security. Using the first part of the IP makes sure + * proxy farms like AOLs are stil okay. + * + * @author Andreas Gohr + * + * @return string a MD5 sum of various browser headers + */ +function auth_browseruid(){ + $uid = ''; + $uid .= $_SERVER['HTTP_USER_AGENT']; + $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; + $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; + $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; + $uid .= substr($_SERVER['REMOTE_ADDR'],0,strpos($_SERVER['REMOTE_ADDR'],'.')); + return md5($uid); +} + + /** * saves user data to Session and cookies */ @@ -99,11 +121,10 @@ function set_session($user,$pass,$dn){ global $conf; $rand = rand(); - $_SESSION[ldapab][username]=$user; - $_SESSION[ldapab][binddn] =$dn; - $_SESSION[ldapab][password]=$pass; - $_SESSION[ldapab][conid] =$rand; - setcookie('ldapabconid',$rand,time()+60*60*24); + $_SESSION[ldapab][username] = $user; + $_SESSION[ldapab][binddn] = $dn; + $_SESSION[ldapab][password] = $pass; + $_SESSION[ldapab][browserid] = auth_browseruid(); // (re)set the persistant auth cookie if($user == ''){