Permalink
Browse files

FIX Session was started every time, even if no data set

Session tracks the user agent in the session, to add some detection of
stolen session IDs. However this was causing a session to always be
created, even if this request didnt store any data in the session.
  • Loading branch information...
1 parent ff45f7c commit 2886f6ee14f48bc814a8c020835ad14d56a5f107 Hamish Friedlander committed Jul 6, 2013
Showing with 16 additions and 10 deletions.
  1. +15 −10 control/Session.php
  2. +1 −0 tests/control/SessionTest.php
View
@@ -128,6 +128,14 @@ class Session {
protected $changedData = array();
+ protected function userAgent() {
+ if (isset($_SERVER['HTTP_USER_AGENT'])) {
+ return $_SERVER['HTTP_USER_AGENT'];
+ } else {
+ return '';
+ }
+ }
+
/**
* Start PHP session, then create a new Session object with the given start data.
*
@@ -138,23 +146,15 @@ public function __construct($data) {
$this->data = $data;
- if (isset($_SERVER['HTTP_USER_AGENT'])) {
- $ua = $_SERVER['HTTP_USER_AGENT'];
- } else {
- $ua = '';
- }
-
if (isset($this->data['HTTP_USER_AGENT'])) {
- if ($this->data['HTTP_USER_AGENT'] != $ua) {
+ if ($this->data['HTTP_USER_AGENT'] != $this->userAgent()) {
// Funny business detected!
$this->inst_clearAll();
Session::destroy();
Session::start();
}
}
-
- $this->inst_set('HTTP_USER_AGENT', $ua);
}
/**
@@ -460,13 +460,18 @@ public function inst_clearAll() {
public function inst_getAll() {
return $this->data;
}
-
+
+ public function inst_finalize() {
+ $this->inst_set('HTTP_USER_AGENT', $this->userAgent());
+ }
+
/**
* Save data to session
* Only save the changes, so that anyone manipulating $_SESSION directly doesn't get burned.
*/
public function inst_save() {
if($this->changedData) {
+ $this->inst_finalize();
if(!isset($_SESSION)) Session::start();
$this->recursivelyApply($this->changedData, $_SESSION);
}
@@ -99,6 +99,7 @@ public function testUserAgentLockout() {
// Generate our session
$s = new Session(array());
$s->inst_set('val', 123);
+ $s->inst_finalize();
// Change our UA
$_SERVER['HTTP_USER_AGENT'] = 'Fake Agent';

0 comments on commit 2886f6e

Please sign in to comment.