Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

new more secure sessions, based upon password checking

  • Loading branch information...
commit affb64996050a248b375dea9830a88ed96eb9811 1 parent 102d5d0
@rizen rizen authored
Showing with 17 additions and 1 deletion.
  1. +3 −0  CHANGES.txt
  2. +12 −0 lib/Wing/Session.pm
  3. +2 −1  lib/Wing/Web/Account.pm
View
3  CHANGES.txt
@@ -4,6 +4,9 @@ This file tracks the changes to Wing over time. Especially
with respect to new features and compatibility changes.
==========================================================
+2013-10-30
+ * Changed session to compare the password hash stored in the session with the one stored in the database. This way all existing sessions will get logged out if the user changes their password.
+
2013-09-25
* Daemonized wingman.pl. You now need the Daemon::Control perl module. You can also add a "wingman/pid_file_path" directive to your config file if you want to control where the pid is stored.
* Added --watch-only as a command line flag to wingman.pl so that you can specify a tube to watch other than the default tube. This is useful when you have different servers that you wish to handle different tubes.
View
12 lib/Wing/Session.pm
@@ -23,6 +23,7 @@ sub BUILD {
my $self = shift;
my $session_data = Wing->cache->get('session'.$self->id);
if (defined $session_data && ref $session_data eq 'HASH') {
+ $self->password_hash($session_data->{password_hash});
$self->user_id($session_data->{user_id});
$self->extended($session_data->{extended});
$self->ip_address($session_data->{ip_address});
@@ -59,6 +60,11 @@ has user_id => (
},
);
+has password_hash => (
+ is => 'rw',
+ predicate => 'has_password_hash',
+);
+
has user => (
is => 'rw',
predicate => 'has_user',
@@ -104,10 +110,15 @@ sub check_permissions {
sub extend {
my $self = shift;
+ if ($self->password_hash ne $self->user->password) {
+ $self->end;
+ return;
+ }
$self->extended( $self->extended + 1 );
Wing->cache->set(
'session'.$self->id,
{
+ password_hash => $self->password_hash, # this hash is stored here so that if the user changes their password we can log out all existing sessions
user_id => $self->user_id,
extended => $self->extended,
sso => $self->sso,
@@ -136,6 +147,7 @@ sub end {
sub start {
my ($self, $user, $options) = @_;
$self->user_id($user->id);
+ $self->password_hash($user->password);
$user->current_session($self);
$self->user($user);
$self->sso($options->{sso});
View
3  lib/Wing/Web/Account.pm
@@ -147,7 +147,7 @@ post '/account/apikey/:id' => sub {
get '/account' => sub {
my $user = get_user_by_session_id();
- template 'account/index', { current_user => describe($user, current_user => $user) };
+ template 'account/index', { current_user => describe($user, current_user => $user, include_options => 1, include_relationships => 1) };
};
post '/account' => sub {
@@ -169,6 +169,7 @@ post '/account' => sub {
}
else {
$user->update;
+ login($user); # in case they changed their password
redirect '/account?success_message=Updated successfully.';
}
};
Please sign in to comment.
Something went wrong with that request. Please try again.