[Catalyst-commits] r10552 - in Catalyst-Plugin-Session/0.00/trunk: . lib/Catalyst/Plugin t t/lib

t0m at dev.catalyst.perl.org t0m at dev.catalyst.perl.org
Tue Jun 16 19:34:52 GMT 2009 

Author: t0m
Date: 2009-06-16 19:34:51 +0000 (Tue, 16 Jun 2009)
New Revision: 10552

Modified:
   Catalyst-Plugin-Session/0.00/trunk/Changes
   Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm
   Catalyst-Plugin-Session/0.00/trunk/t/01_setup.t
   Catalyst-Plugin-Session/0.00/trunk/t/lib/SessionTestApp.pm
Log:
Merge verify_user_agent branch

Modified: Catalyst-Plugin-Session/0.00/trunk/Changes
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/Changes	2009-06-16 18:57:17 UTC (rev 10551)
+++ Catalyst-Plugin-Session/0.00/trunk/Changes	2009-06-16 19:34:51 UTC (rev 10552)
@@ -1,8 +1,9 @@
 Revision history for Perl extension Catalyst::Plugin::Session
 
-        - Add a test case to prove that logging in with a session cookie still causes
-          a new cookie to be issued for you, proving that the code is not vulnerable
-          to a session fixation attack.
+        - Add the verify_user_agent config parameter (kmx)
+        - Add a test case to prove that logging in with a session cookie still 
+          causes a new cookie to be issued for you, proving that the code is
+          not vulnerable to a session fixation attack. (t0m)
 
 0.22 2009-05-13
         - INSANE HACK to ensure B::Hooks::EndOfScope inlines us a new method right now

Modified: Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm	2009-06-16 18:57:17 UTC (rev 10551)
+++ Catalyst-Plugin-Session/0.00/trunk/lib/Catalyst/Plugin/Session.pm	2009-06-16 19:34:51 UTC (rev 10552)
@@ -70,6 +70,7 @@
     %$cfg = (
         expires        => 7200,
         verify_address => 0,
+        verify_user_agent => 0,
         %$cfg,
     );
 
@@ -225,6 +226,17 @@
                 $c->delete_session("address mismatch");
                 return;
             }
+            if (   $c->config->{session}{verify_user_agent}
+                && $session_data->{__user_agent} ne $c->request->user_agent )
+            {
+                $c->log->warn(
+                        "Deleting session $sid due to user agent mismatch ("
+                      . $session_data->{__user_agent} . " != "
+                      . $c->request->user_agent . ")"
+                );
+                $c->delete_session("user agent mismatch");
+                return;
+            }
 
             $c->log->debug(qq/Restored session "$sid"/) if $c->debug;
             $c->_session_data_sig( Object::Signature::signature($session_data) ) if $session_data;
@@ -454,6 +466,11 @@
                 ? ( __address => $c->request->address )
                 : ()
             ),
+            (
+                $c->config->{session}{verify_user_agent}
+                ? ( __user_agent => $c->request->user_agent )
+                : ()
+            ),
         }
     );
 }
@@ -915,6 +932,14 @@
 
 Defaults to false.
 
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
+is not the same as the user agent that initiated the session, the session is 
+deleted.
+
+Defaults to false.
+
 =item flash_to_stash
 
 This option makes it easier to have actions behave the same whether they were
@@ -947,6 +972,11 @@
 The value of C<< $c->request->address >> at the time the session was created.
 This value is only populated if C<verify_address> is true in the configuration.
 
+=item __user_agent
+
+The value of C<< $c->request->user_agent>> at the time the session was created.
+This value is only populated if C<verify_user_agent> is true in the configuration.
+
 =back
 
 =head1 CAVEATS

Modified: Catalyst-Plugin-Session/0.00/trunk/t/01_setup.t
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/t/01_setup.t	2009-06-16 18:57:17 UTC (rev 10551)
+++ Catalyst-Plugin-Session/0.00/trunk/t/01_setup.t	2009-06-16 19:34:51 UTC (rev 10552)
@@ -63,7 +63,7 @@
 
 cmp_deeply(
     [ keys %{ $config{session} } ],
-    bag(qw/expires verify_address/),
+    bag(qw/expires verify_address verify_user_agent/),
     "default values for config were populated in successful setup",
 );
 

Modified: Catalyst-Plugin-Session/0.00/trunk/t/lib/SessionTestApp.pm
===================================================================
--- Catalyst-Plugin-Session/0.00/trunk/t/lib/SessionTestApp.pm	2009-06-16 18:57:17 UTC (rev 10551)
+++ Catalyst-Plugin-Session/0.00/trunk/t/lib/SessionTestApp.pm	2009-06-16 19:34:51 UTC (rev 10552)
@@ -6,6 +6,11 @@
 use strict;
 use warnings;
 
+__PACKAGE__->config->{session} = {
+    # needed for live_verify_user_agent.t; should be harmless for other tests 
+    verify_user_agent => 1,  
+};
+
 sub login : Global {
     my ( $self, $c ) = @_;
     $c->session;
@@ -30,6 +35,11 @@
     }
 }
 
+sub user_agent : Global {
+    my ( $self, $c ) = @_;
+    $c->res->output('UA=' . $c->req->user_agent);
+}
+
 __PACKAGE__->setup;
 
 __PACKAGE__;

More information about the Catalyst-commits mailing list