Added code to help prevent session hijacking.

Affects issue #9713. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5707 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Oct 21, 2008 · 49cc459 · 49cc459
1 parent 564a458
commit 49cc459
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/core/constant_inc.php b/core/constant_inc.php
@@ -345,6 +345,7 @@
 # ERROR_SESSION_*
 define( 'ERROR_SESSION_HANDLER_INVALID', 2700 );
 define( 'ERROR_SESSION_VAR_NOT_FOUND', 2701 );
+define( 'ERROR_SESSION_NOT_VALID', 2702 );
 
 # ERROR_FORM_*
 define( 'ERROR_FORM_TOKEN_INVALID', 2800 );

diff --git a/core/session_api.php b/core/session_api.php
@@ -105,6 +105,7 @@ function destroy() {
 
 /**
  * Initialize the appropriate session handler.
+ * @param string Session ID
  */
 function session_init( $p_session_id=null ) {
 	global $g_session, $g_session_handler;
@@ -124,6 +125,39 @@ function session_init( $p_session_id=null ) {
 			trigger_error( ERROR_SESSION_HANDLER_INVALID, ERROR );
 			break;
 	}
+
+	session_validate( $g_session );
+}
+
+/**
+ * Validate the legitimacy of a session.
+ * Checks may include last-known IP address, or more.
+ * Triggers an error when the session is invalid.
+ * @param object Session object
+ */
+function session_validate( $p_session ) {
+	$t_user_ip = '';
+	if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
+		$t_user_ip = trim( $_SERVER['REMOTE_ADDR'] );
+	}
+
+	if ( is_null( $t_last_ip = $p_session->get( 'last_ip', null ) ) ) {
+		# First session usage
+		$p_session->set( 'last_ip', $t_user_ip );
+
+	} else {
+		# Check a continued session request
+		if ( $t_user_ip != $t_last_ip ) {
+			session_clean();
+
+			trigger_error( ERROR_SESSION_NOT_VALID, WARNING );
+
+			$t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' );
+			echo "\t<meta http-equiv=\"Refresh\" content=\"4;URL=$t_url\" />\n";
+
+			die();
+		}
+	}
 }
 
 /**

diff --git a/lang/strings_english.txt b/lang/strings_english.txt
@@ -317,6 +317,7 @@ $MANTIS_ERROR[ERROR_COLUMNS_DUPLICATE] = 'Field "%s" contains duplicate column "
 $MANTIS_ERROR[ERROR_COLUMNS_INVALID] = 'Field "%s" contains invalid field "%s".';
 $MANTIS_ERROR[ERROR_SESSION_HANDLER_INVALID] = 'Invalid session handler.';
 $MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable "%s" not found.';
+$MANTIS_ERROR[ERROR_SESSION_NOT_VALID] = 'Your session has become invalidated.';
 $MANTIS_ERROR[ERROR_FORM_TOKEN_INVALID] = 'Invalid form security token.  Did you submit the form twice by accident?';
 $MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.';
 $MANTIS_ERROR[ERROR_INVALID_SORT_FIELD] = 'Invalid sort field.';