From 3e225512d6ed1cf3d04570242af51fc5e731205e Mon Sep 17 00:00:00 2001
From: Andreas Gohr <gohr@cosmocode.de>
Date: Tue, 24 Jan 2006 14:26:14 +0100
Subject: [PATCH] changed session hijack test

darcs-hash:20060124132614-6e07b-8c8422d0bdb990667df0e0181fb0d526e9d41378.gz
---
 functions.php | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/functions.php b/functions.php
index 4ccaae5..74170a0 100644
--- a/functions.php
+++ b/functions.php
@@ -16,10 +16,10 @@ function ldap_login(){
   global $conf;
   if(!empty($_SESSION['ldapab']['username'])){
     // existing session! Check if valid
-    if($_COOKIE['ldapabconid'] != $_SESSION['ldapab']['conid']){
+    if($_SESSION['ldapab']['browserid'] != auth_browseruid()){
       //session hijacking detected
-       header('Location: login.php?username=');
-       exit;
+      header('Location: login.php?username=');
+      exit;
     }
   } elseif ($conf['httpd_auth'] && !empty($_SERVER['PHP_AUTH_USER'])) {
     // use HTTP auth if wanted and possible
@@ -92,6 +92,28 @@ function do_ldap_bind($user,$pass,$dn=""){
   return false;
 }
 
+/**
+ * Builds a pseudo UID from browser and IP data
+ *
+ * This is neither unique nor unfakable - still it adds some
+ * security. Using the first part of the IP makes sure
+ * proxy farms like AOLs are stil okay.
+ *
+ * @author  Andreas Gohr <andi@splitbrain.org>
+ *
+ * @return  string  a MD5 sum of various browser headers
+ */
+function auth_browseruid(){
+  $uid  = '';
+  $uid .= $_SERVER['HTTP_USER_AGENT'];
+  $uid .= $_SERVER['HTTP_ACCEPT_ENCODING'];
+  $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
+  $uid .= $_SERVER['HTTP_ACCEPT_CHARSET'];
+  $uid .= substr($_SERVER['REMOTE_ADDR'],0,strpos($_SERVER['REMOTE_ADDR'],'.'));
+  return md5($uid);
+}
+
+
 /**
  * saves user data to Session and cookies
  */
@@ -99,11 +121,10 @@ function set_session($user,$pass,$dn){
   global $conf;
 
   $rand = rand();
-  $_SESSION[ldapab][username]=$user;
-  $_SESSION[ldapab][binddn]  =$dn;
-  $_SESSION[ldapab][password]=$pass;
-  $_SESSION[ldapab][conid]   =$rand;
-  setcookie('ldapabconid',$rand,time()+60*60*24);
+  $_SESSION[ldapab][username]  = $user;
+  $_SESSION[ldapab][binddn]    = $dn;
+  $_SESSION[ldapab][password]  = $pass;
+  $_SESSION[ldapab][browserid] = auth_browseruid();
 
   // (re)set the persistant auth cookie
   if($user == ''){
-- 
2.39.5