| Subject: | Proposal: verify_user_agent option |
| Date: | Mon, 01 Jun 2009 08:13:01 +0200 |
| To: | bug-Catalyst-Plugin-Session [...] rt.cpan.org |
| From: | kmx <kmx [...] volny.cz> |
Hi,
I am sending a patch proposal for a new verify_user_agent configuration
option. It is very similar to verify_address; it checks whether the
User-agent string from http request header has change since session
initialization.
I know that it is not bullet-proof on the other hand a regular user does
not change his/her User-agent string so often therefore it could
contribute a bit to mitigation of session hijacking attacks.
--
kmx
*****
--- 0.22/lib/Catalyst/Plugin/Session.pm
+++ 0.22p/lib/Catalyst/Plugin/Session.pm
@@ -70,6 +70,7 @@
%$cfg = (
expires => 7200,
verify_address => 0,
+ verify_user_agent => 0,
%$cfg,
);
@@ -225,6 +226,17 @@
$c->delete_session("address mismatch");
return;
}
+ if ( $c->config->{session}{verify_user_agent}
+ && $session_data->{__user_agent} ne
$c->request->user_agent )
+ {
+ $c->log->warn(
+ "Deleting session $sid due to user agent
mismatch ("
+ . $session_data->{__user_agent} . " != "
+ . $c->request->user_agent . ")"
+ );
+ $c->delete_session("user agent mismatch");
+ return;
+ }
$c->log->debug(qq/Restored session "$sid"/) if $c->debug;
$c->_session_data_sig(
Object::Signature::signature($session_data) ) if $session_data;
@@ -454,6 +466,11 @@
? ( __address => $c->request->address )
: ()
),
+ (
+ $c->config->{session}{verify_user_agent}
+ ? ( __user_agent => $c->request->user_agent )
+ : ()
+ ),
}
);
}
@@ -915,6 +932,14 @@
Defaults to false.
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare
time. If it
+is not the same as the user agent that initiated the session, the
session is
+deleted.
+
+Defaults to false.
+
=item flash_to_stash
This option makes it easier to have actions behave the same whether
they were