Revision history for Perl extension Catalyst::Plugin::Session
- - Add a test case to prove that logging in with a session cookie still causes
- a new cookie to be issued for you, proving that the code is not vulnerable
- to a session fixation attack.
+ - Add the verify_user_agent config parameter (kmx)
+ - Add a test case to prove that logging in with a session cookie still
+ causes a new cookie to be issued for you, proving that the code is
+ not vulnerable to a session fixation attack. (t0m)
0.22 2009-05-13
- INSANE HACK to ensure B::Hooks::EndOfScope inlines us a new method right now
%$cfg = (
expires => 7200,
verify_address => 0,
+ verify_user_agent => 0,
%$cfg,
);
$c->delete_session("address mismatch");
return;
}
+ if ( $c->config->{session}{verify_user_agent}
+ && $session_data->{__user_agent} ne $c->request->user_agent )
+ {
+ $c->log->warn(
+ "Deleting session $sid due to user agent mismatch ("
+ . $session_data->{__user_agent} . " != "
+ . $c->request->user_agent . ")"
+ );
+ $c->delete_session("user agent mismatch");
+ return;
+ }
$c->log->debug(qq/Restored session "$sid"/) if $c->debug;
$c->_session_data_sig( Object::Signature::signature($session_data) ) if $session_data;
? ( __address => $c->request->address )
: ()
),
+ (
+ $c->config->{session}{verify_user_agent}
+ ? ( __user_agent => $c->request->user_agent )
+ : ()
+ ),
}
);
}
Defaults to false.
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
+is not the same as the user agent that initiated the session, the session is
+deleted.
+
+Defaults to false.
+
=item flash_to_stash
This option makes it easier to have actions behave the same whether they were
The value of C<< $c->request->address >> at the time the session was created.
This value is only populated if C<verify_address> is true in the configuration.
+=item __user_agent
+
+The value of C<< $c->request->user_agent>> at the time the session was created.
+This value is only populated if C<verify_user_agent> is true in the configuration.
+
=back
=head1 CAVEATS
cmp_deeply(
[ keys %{ $config{session} } ],
- bag(qw/expires verify_address/),
+ bag(qw/expires verify_address verify_user_agent/),
"default values for config were populated in successful setup",
);
use strict;
use warnings;
+__PACKAGE__->config->{session} = {
+ # needed for live_verify_user_agent.t; should be harmless for other tests
+ verify_user_agent => 1,
+};
+
sub login : Global {
my ( $self, $c ) = @_;
$c->session;
}
}
+sub user_agent : Global {
+ my ( $self, $c ) = @_;
+ $c->res->output('UA=' . $c->req->user_agent);
+}
+
__PACKAGE__->setup;
__PACKAGE__;