Session pinning fix

airtime_mvc/application/Bootstrap.php

@@ -14,8 +14,10 @@
 require_once "OsPath.php";
 require_once "Database.php";
 require_once "Timezone.php";
+require_once "Auth.php";
 require_once __DIR__.'/forms/helpers/ValidationTypes.php';
 require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
+
 
 require_once (APPLICATION_PATH."/logging/Logging.php");
 Logging::setLogPath('/var/log/airtime/zendphp.log');
@@ -25,6 +27,8 @@
 
 Zend_Validate::setDefaultNamespaces("Zend");
 
+Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
+
 $front = Zend_Controller_Front::getInstance();
 $front->registerPlugin(new RabbitMqPlugin());
 

airtime_mvc/application/controllers/LoginController.php

@@ -14,9 +14,10 @@ public function indexAction()
         $request = $this->getRequest();
 
         Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
-        if (Zend_Auth::getInstance()->hasIdentity())
+        $auth = Zend_Auth::getInstance();
+
+        if ($auth->hasIdentity())
         {
-
             $this->_redirect('Showbuilder');
         }
 
@@ -52,8 +53,7 @@ public function indexAction()
                     //pass to the adapter the submitted username and password
                     $authAdapter->setIdentity($username)
                                 ->setCredential($password);
-
-                    $auth = Zend_Auth::getInstance();
+
                     $result = $auth->authenticate($authAdapter);
                     if ($result->isValid()) {
                         //all info about this user from the login table omit only the password
@@ -66,14 +66,12 @@ public function indexAction()
                         Application_Model_LoginAttempts::resetAttempts($_SERVER['REMOTE_ADDR']);
                         Application_Model_Subjects::resetLoginAttempts($username);
 
-                        $tempSess = new Zend_Session_Namespace("referrer");
-                        $tempSess->referrer = 'login';
-
                         //set the user locale in case user changed it in when logging in
                         Application_Model_Preference::SetUserLocale($locale);
 
                         $this->_redirect('Showbuilder');
                     } else {
+
                         $message = _("Wrong username or password provided. Please try again.");
                         Application_Model_Subjects::increaseLoginAttempts($username);
                         Application_Model_LoginAttempts::increaseAttempts($_SERVER['REMOTE_ADDR']);
@@ -96,7 +94,8 @@ public function indexAction()
 
     public function logoutAction()
     {
-        Zend_Auth::getInstance()->clearIdentity();
+        $auth = Zend_Auth::getInstance();
+        $auth->clearIdentity();
         $this->_redirect('showbuilder/index');
     }
 

airtime_mvc/application/controllers/plugins/Acl_plugin.php

@@ -109,9 +109,9 @@ public function getErrorPage()
     public function preDispatch(Zend_Controller_Request_Abstract $request)
     {
         $controller = strtolower($request->getControllerName());
+        Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
 
         if (in_array($controller, array("api", "auth", "locale"))) {
-
             $this->setRoleName("G");
         } elseif (!Zend_Auth::getInstance()->hasIdentity()) {
 

airtime_mvc/application/models/Auth.php

@@ -101,4 +101,18 @@ final public function generateRandomString($length = 12, $allowed_chars = 'abcde
 
         return $string;
     }
+
+    /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
+     *  different copies of Airtime on the same webserver. This essentially pins this session to:
+     *   - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
+     *   - The remote IP of the browser - to help prevent session hijacking
+     *   - The client ID - same reason as server hostname
+     * @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
+     */
+    public static function pinSessionToClient($auth)
+    {
+        $serverName = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : "";
+        $remoteAddr = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "";
+        $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $serverName . $remoteAddr . Application_Model_Preference::GetClientId()));
+    }
 }