Some session fingerprinting code. Requires user agent to be consistent across requests.

git-svn-id: https://code.elgg.org/elgg/trunk@2047 36083f99-b078-4883-b0ff-0f9b5a30f544

2 files changed, 26 insertions, 2 deletions

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 28a16c403..76913f2b4 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -174,8 +174,11 @@
         	// Current session id
         	$session_id = session_id();
         	
+        	// Get user agent
+        	$ua = $_SERVER['HTTP_USER_AGENT'];
+        	
         	if (($site_secret) && ($session_id))
-        		return md5($site_secret.$timestamp.$session_id);
+        		return md5($site_secret.$timestamp.$session_id.$ua);
         	
         	return false;
         }
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index c6ae6f8d4..0a35fec1a 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -162,6 +162,13 @@
             session_destroy();

             

             return true;

+        }
+        
+        function get_session_fingerprint()
+        {
+        	global $CONFIG;
+        	
+        	return md5($_SERVER['HTTP_USER_AGENT'] );
         }

 		

 	/**

@@ -182,7 +189,21 @@
 			if (!is_db_installed()) return false;

 			

 			session_name('Elgg');

-	        session_start();

+	        session_start();
+	        
+	        // Do some sanity checking by generating a fingerprint (makes some XSS attacks harder)
+	        if (isset($_SESSION['__elgg_fingerprint']))
+			{
+			    if ($_SESSION['__elgg_fingerprint'] != get_session_fingerprint())
+			    {
+			    	session_destroy();
+			    	return false;
+			    }
+			}
+			else
+			{
+			    $_SESSION['__elgg_fingerprint'] = get_session_fingerprint();
+			}
 	        

 	        if (empty($_SESSION['guid'])) {

 	            if (isset($_COOKIE['elggperm'])) {