mirror/processwire
1
0
Fork 0
mirror of https://github.com/processwire/processwire.git synced 2025-08-08 07:47:00 +02:00
Code Issues Releases Wiki Activity

Update the $config->sessionFingerprint option to also support fingerprinting of browser http "accept" header, plus update documentation for this to use bitmask examples rather than predefined numbers.

Browse Source
This commit is contained in:
Ryan Cramer
2020-06-05 08:08:50 -04:00
parent 2de85fab4b
commit fd2fdd91f0
3 changed files with 77 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
wire/config.php
View File

@@ -293,27 +293,43 @@ $config->sessionChallenge = true;
/** /**
* Use session fingerprint? * Use session fingerprint?
* *
* Should login sessions be tied to IP and user agent? * Should login sessions also be tied to a fingerprint of the browser?
* IP fingerprinting may be problematic on dynamic IPs. * Fingerprinting can be based upon browser-specific headers and/or
* Below are the possible values: * IP addresses. But note that IP fingerprinting will be problematic on
* dynamic IPs.
* *
* 0 or false: Fingerprint off * Predefined settings:
* 1 or true: Fingerprint on with default/recommended setting (currently 10).
* 2: Fingerprint only the remote IP
* 4: Fingerprint only the forwarded/client IP (can be spoofed)
* 8: Fingerprint only the useragent
* 10: Fingerprint the remote IP and useragent (default)
* 12: Fingerprint the forwarded/client IP and useragent
* 14: Fingerprint the remote IP, forwarded/client IP and useragent (all).
* *
* If using fingerprint in an environment where the users * - 0 or false: Fingerprint off
* IP address may change during the session, you should * - 1 or true: Fingerprint on with default setting (remote IP & useragent)
* fingerprint only the useragent, or disable fingerprinting. *
* Custom settings:
*
* - 2: Remote IP
* - 4: Forwarded/client IP (can be spoofed)
* - 8: Useragent
* - 16: Accept header
*
* To use the custom settings above, select one or more of those you want
* to fingerprint, note the numbers, and use them like in the examples:
* ~~~~~~
* // to fingerprint just remote IP
* $config->sessionFingerprint = 2;
*
* // to fingerprint remote IP and useragent:
* $config->sessionFingerprint = 2 | 8;
*
* // to fingerprint remote IP, useragent and accept header:
* $config->sessionFingerprint = 2 | 8 | 16;
* ~~~~~~
*
* If using fingerprint in an environment where the users IP address may
* change during the session, you should fingerprint only the useragent
* and/or accept header, or disable fingerprinting.
* *
* If using fingerprint with an AWS load balancer, you should * If using fingerprint with an AWS load balancer, you should use one of
* use one of the options that uses the “client IP” rather than * the options that uses the “client IP” rather than the “remote IP”,
* the “remote IP”, fingerprint only the useragent, or disable * fingerprint only useragent and/or accept header, or disable fingerprinting.
* fingerprinting.
* *
* @var int * @var int
* *

2
wire/core/Fuel.php
View File

@@ -10,7 +10,7 @@
* This file is licensed under the MIT license * This file is licensed under the MIT license
* https://processwire.com/about/license/mit/ * https://processwire.com/about/license/mit/
* *
* ProcessWire 3.x, Copyright 2019 by Ryan Cramer * ProcessWire 3.x, Copyright 2020 by Ryan Cramer
* https://processwire.com * https://processwire.com
* *
* @property ProcessWire $wire * @property ProcessWire $wire

61
wire/core/Session.php
View File

@@ -64,6 +64,14 @@ class Session extends Wire implements \IteratorAggregate {
* *
*/ */
const fingerprintUseragent = 8; const fingerprintUseragent = 8;
/**
* Fingerprint bitmask: Use “accept” content-types header
*
* @since 3.0.159
*
*/
const fingerprintAccept = 16;
/** /**
* Suffix applied to challenge cookies * Suffix applied to challenge cookies
@@ -346,23 +354,33 @@ class Session extends Wire implements \IteratorAggregate {
/** /**
* Generate a session fingerprint * Generate a session fingerprint
* *
* If the `$mode` argument is omitted, the mode is pulled from `$config->sessionFingerprint`. If using the * If the `$mode` argument is omitted, the mode is pulled from `$config->sessionFingerprint`.
* mode argument, specify one of the following: * If using the mode argument, specify one of the following:
* *
* - 0 or false: Fingerprint nothing. * - 2: Remote IP
* - 1 or true: Fingerprint on with default/recommended setting (currently 10). * - 4: Forwarded/client IP (can be spoofed)
* - 2: Fingerprint only the remote IP. * - 8: Useragent
* - 4: Fingerprint only the forwarded/client IP (can be spoofed). * - 16: Accept header
* - 8: Fingerprint only the useragent. *
* - 10: Fingerprint the remote IP and useragent (default). * To use the custom `$mode` settings above, select one or more of those you want
* - 12: Fingerprint the forwarded/client IP and useragent. * to fingerprint, note the numbers, and determine the `$mode` like this:
* - 14: Fingerprint the remote IP, forwarded/client IP and useragent (all). * ~~~~~~
* * // to fingerprint just remote IP
* If using fingerprint in an environment where the users IP address may change during the session, you should * $mode = 2;
* fingerprint only the useragent, or disable fingerprinting. *
* * // to fingerprint remote IP and useragent:
* If using fingerprint with an AWS load balancer, you should use one of the options that uses the “client IP” * $mode = 2 | 8;
* rather than the “remote IP”, fingerprint only the useragent, or disable fingerprinting. *
* // to fingerprint remote IP, useragent and accept header:
* $mode = 2 | 8 | 16;
* ~~~~~~
* If using fingerprint in an environment where the users IP address may
* change during the session, you should fingerprint only the useragent
* and/or accept header, or disable fingerprinting.
*
* If using fingerprint with an AWS load balancer, you should use one of
* the options that uses the “client IP” rather than the “remote IP”,
* fingerprint only useragent and/or accept header, or disable fingerprinting.
* *
* #pw-internal * #pw-internal
* *
@@ -377,9 +395,9 @@ class Session extends Wire implements \IteratorAggregate {
$useFingerprint = $mode === null ? $this->config->sessionFingerprint : $mode; $useFingerprint = $mode === null ? $this->config->sessionFingerprint : $mode;
if(!$useFingerprint) return false; if(!$useFingerprint) return false;
if(is_bool($useFingerprint) || $useFingerprint == 1) { if($useFingerprint === true || $useFingerprint === 1 || $useFingerprint === "1") {
// default (boolean true) // default (boolean true or int 1)
$useFingerprint = self::fingerprintRemoteAddr | self::fingerprintUseragent; $useFingerprint = self::fingerprintRemoteAddr | self::fingerprintUseragent;
if($debug) $debugInfo[] = 'default'; if($debug) $debugInfo[] = 'default';
} }
@@ -401,6 +419,11 @@ class Session extends Wire implements \IteratorAggregate {
if($debug) $debugInfo[] = 'useragent'; if($debug) $debugInfo[] = 'useragent';
} }
if($useFingerprint & self::fingerprintAccept) {
$fingerprint .= isset($_SERVER['HTTP_ACCEPT']) ? $_SERVER['HTTP_ACCEPT'] : '';
if($debug) $debugInfo[] = 'accept';
}
if($debug) { if($debug) {
$fingerprint = implode(',', $debugInfo) . ': ' . $fingerprint; $fingerprint = implode(',', $debugInfo) . ': ' . $fingerprint;
} else { } else {