Added code to help prevent session hijacking.

Affects issue #9713. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5706 f5dc347c-c33d-0410-90a0-b07cc1902cb9
mantisbt · Oct 21, 2008 · eb71dca · eb71dca
1 parent 32f440c
commit eb71dca
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/core/constant_inc.php b/core/constant_inc.php
@@ -327,6 +327,7 @@
 	# ERROR_SESSION_*
 	define ( 'ERROR_SESSION_HANDLER_INVALID', 2700);
 	define ( 'ERROR_SESSION_VAR_NOT_FOUND',   2701);
+	define ( 'ERROR_SESSION_NOT_VALID',	      2702);
 
 	# ERROR_FORM_*
 	define ( 'ERROR_FORM_TOKEN_INVALID',	2800 );
@@ -423,4 +424,3 @@
 	define( 'SPONSORSHIP_REQUESTED',      1 );
 	define( 'SPONSORSHIP_PAID',           2 );
 
-?>
diff --git a/core/session_api.php b/core/session_api.php
@@ -107,6 +107,7 @@ function destroy() {
 
 /**
  * Initialize the appropriate session handler.
+ * @param string Session ID
  */
 function session_init( $p_session_id=null ) {
 	global $g_session, $g_session_handler;
@@ -124,6 +125,39 @@ function session_init( $p_session_id=null ) {
 			trigger_error( ERROR_SESSION_HANDLER_INVALID, ERROR );
 			break;
 	}
+
+	session_validate( $g_session );
+}
+
+/**
+ * Validate the legitimacy of a session.
+ * Checks may include last-known IP address, or more.
+ * Triggers an error when the session is invalid.
+ * @param object Session object
+ */
+function session_validate( $p_session ) {
+	$t_user_ip = '';
+	if ( isset( $_SERVER['REMOTE_ADDR'] ) ) {
+		$t_user_ip = trim( $_SERVER['REMOTE_ADDR'] );
+	}
+
+	if ( is_null( $t_last_ip = $p_session->get( 'last_ip', null ) ) ) {
+		# First session usage
+		$p_session->set( 'last_ip', $t_user_ip );
+
+	} else {
+		# Check a continued session request
+		if ( $t_user_ip != $t_last_ip ) {
+			session_clean();
+
+			trigger_error( ERROR_SESSION_NOT_VALID, WARNING );
+
+			$t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' );
+			echo "\t<meta http-equiv=\"Refresh\" content=\"4;URL=$t_url\" />\n";
+
+			die();
+		}
+	}
 }
 
 /**

diff --git a/lang/strings_english.txt b/lang/strings_english.txt
@@ -298,7 +298,8 @@ $MANTIS_ERROR[ERROR_TAG_NOT_ATTACHED] = 'That tag is not attached to that bug.';
 $MANTIS_ERROR[ERROR_TAG_ALREADY_ATTACHED] = 'That tag already attached to that bug.';
 $MANTIS_ERROR[ERROR_TOKEN_NOT_FOUND] = 'Token could not be found.';
 $MANTIS_ERROR[ERROR_SESSION_HANDLER_INVALID] = 'Invalid session handler.';
-$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable \'%s\' not found.';
+$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable "%s" not found.';
+$MANTIS_ERROR[ERROR_SESSION_NOT_VALID] = 'Your session has become invalidated.';
 $MANTIS_ERROR[ERROR_FORM_TOKEN_INVALID] = 'Invalid form security token.  Did you submit the form twice by accident?';
 $MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.';
 $MANTIS_ERROR[ERROR_INVALID_SORT_FIELD] = 'Invalid sort field.';