[Catalyst-commits] r10826 - in
Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection:
lib/Catalyst/Plugin t t/lib
kmx at dev.catalyst.perl.org
kmx at dev.catalyst.perl.org
Tue Jul 7 21:54:46 GMT 2009
Author: kmx
Date: 2009-07-07 21:54:46 +0000 (Tue, 07 Jul 2009)
New Revision: 10826
Modified:
Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/lib/Catalyst/Plugin/Session.pm
Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/lib/SessionTestApp.pm
Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/live_session_fixation.t
Log:
C::P::Session - branche session_fixation: new method change_session_id (incl. doc), new session_fixation tests pass, tested with a real application as well
Modified: Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/lib/Catalyst/Plugin/Session.pm
===================================================================
--- Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/lib/Catalyst/Plugin/Session.pm 2009-07-07 21:39:27 UTC (rev 10825)
+++ Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/lib/Catalyst/Plugin/Session.pm 2009-07-07 21:54:46 UTC (rev 10826)
@@ -288,6 +288,24 @@
$c->maybe::next::method(@_); # allow other plugins to hook in on this
}
+sub change_session_id {
+ my $c = shift;
+
+ my $sessiondata = $c->session;
+ my $oldsid = $c->sessionid;
+ my $newsid = $c->create_session_id;
+
+ if ($oldsid) {
+ $c->log->debug(qq/change_sessid: deleting session data from "$oldsid"/) if $c->debug;
+ $c->delete_session_data("${_}:${oldsid}") for qw/session expires flash/;
+ }
+
+ $c->log->debug(qq/change_sessid: storing session data to "$newsid"/) if $c->debug;
+ $c->store_session_data( "session:$newsid" => $sessiondata );
+
+ return $newsid;
+}
+
sub delete_session {
my ( $c, $msg ) = @_;
@@ -749,6 +767,31 @@
Note that these values are not auto extended.
+=item change_session_id
+
+By calling this method you can force a session id change while keeping all
+session data. This method might come handy when you are paranoid about some
+advanced variations of session fixation attack.
+
+If you want to prevent this session fixation scenario:
+
+ 0) let us have WebApp with anonymous and authenticated parts
+ 1) a hacker goes to vulnerable WebApp and gets a real sessionid,
+ just by browsing anonymous part of WebApp
+ 2) the hacker inserts (somehow) this values into a cookie in victim's browser
+ 3) after the victim logs into WebApp the hacker can enter his/her session
+
+you should call change_session_id in your login controller like this:
+
+ if ($c->authenticate( { username => $user, password => $pass } )) {
+ # login OK
+ $c->change_session_id;
+ ...
+ } else {
+ # login FAILED
+ ...
+ }
+
=back
=head1 INTERNAL METHODS
Modified: Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/lib/SessionTestApp.pm
===================================================================
--- Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/lib/SessionTestApp.pm 2009-07-07 21:39:27 UTC (rev 10825)
+++ Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/lib/SessionTestApp.pm 2009-07-07 21:54:46 UTC (rev 10826)
@@ -53,8 +53,7 @@
sub change_sessid : Global {
my ( $self, $c ) = @_;
- #$c->change_session_id;
- $c->create_session_id;
+ $c->change_session_id;
$c->res->output("session id changed");
}
Modified: Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/live_session_fixation.t
===================================================================
--- Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/live_session_fixation.t 2009-07-07 21:39:27 UTC (rev 10825)
+++ Catalyst-Plugin-Session/0.00/branches/paranoid_session_fixation_protection/t/live_session_fixation.t 2009-07-07 21:54:46 UTC (rev 10826)
@@ -18,7 +18,7 @@
or plan skip_all =>
'Test::WWW::Mechanize::Catalyst >= 0.51 is required for this test';
- plan tests => 8;
+ plan tests => 10;
}
use lib "t/lib";
More information about the Catalyst-commits
mailing list