Permalink
Browse files

Adding session renewal upon login/logout.

This helps improve session security, as it reduces the opportunity
of replaying a session id successfully.
Fixes #836
  • Loading branch information...
1 parent 50a0a51 commit b1dad6e5bd1e03ab34fd0ff2b05c23971b9a9440 @markstory markstory committed Sep 25, 2011
@@ -491,7 +491,8 @@ public function mapActions($map = array()) {
/**
* Log a user in. If a $user is provided that data will be stored as the logged in user. If `$user` is empty or not
* specified, the request will be used to identify a user. If the identification was successful,
- * the user record is written to the session key specified in AuthComponent::$sessionKey.
+ * the user record is written to the session key specified in AuthComponent::$sessionKey. Logging in
+ * will also change the session id in order to help mitigate session replays.
*
* @param mixed $user Either an array of user data, or null to identify a user using the current request.
* @return boolean True on login success, false on failure
@@ -504,6 +505,7 @@ public function login($user = null) {
$user = $this->identify($this->request, $this->response);
}
if ($user) {
+ $this->Session->renew();
$this->Session->write(self::$sessionKey, $user);
}
return $this->loggedIn();
@@ -513,7 +515,8 @@ public function login($user = null) {
* Logs a user out, and returns the login action to redirect to.
* Triggers the logout() method of all the authenticate objects, so they can perform
* custom logout logic. AuthComponent will remove the session data, so
- * there is no need to do that in an authentication object.
+ * there is no need to do that in an authentication object. Logging out
+ * will also renew the session id. This helps mitigate issues with session replays.
*
* @return string AuthComponent::$logoutRedirect
* @see AuthComponent::$logoutRedirect
@@ -530,6 +533,7 @@ public function logout() {
}
$this->Session->delete(self::$sessionKey);
$this->Session->delete('Auth.redirect');
+ $this->Session->renew();
return Router::normalize($this->logoutRedirect);
}
@@ -385,6 +385,8 @@ public function testLogin() {
'userModel' => 'AuthUser'
)
);
+ $this->Auth->Session = $this->getMock('SessionComponent', array('renew'), array(), '', false);
+
$mocks = $this->Auth->constructAuthenticate();
$this->mockObjects[] = $mocks[0];
@@ -405,6 +407,9 @@ public function testLogin() {
->with($this->Auth->request)
->will($this->returnValue($user));
+ $this->Auth->Session->expects($this->once())
+ ->method('renew');
+
$result = $this->Auth->login();
$this->assertTrue($result);

0 comments on commit b1dad6e

Please sign in to comment.