Skip to content

Commit

Permalink
Regenerate session id when
Browse files Browse the repository at this point in the history
changing the current user to avoid
session fixation.
  • Loading branch information
acinader committed Sep 28, 2018
1 parent 1b99d91 commit 3677852
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/Parse/ParseUser.php
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,10 @@ protected function handleSaveResult($makeCurrent = false)
unset($this->serverData['sessionToken']);
}
if ($makeCurrent) {
if (session_id()) {
// see: https://www.owasp.org/index.php/Session_fixation
session_regenerate_id();
}
static::$currentUser = $this;
static::saveCurrentUser();
}
Expand Down
67 changes: 67 additions & 0 deletions tests/Parse/ParseSessionFixationTest.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
<?php
namespace Parse\Test;

use Parse\ParseClient;
use Parse\ParseUser;
use Parse\ParseSession;

class ParseSessionFixationTest extends \PHPUnit_Framework_TestCase
{

public static function setUpBeforeClass()
{
Helper::clearClass(ParseUser::$parseClassName);
Helper::clearClass(ParseSession::$parseClassName);
ParseUser::logout();
ParseClient::_unsetStorage();

// indicate we should not use cookies
ini_set("session.use_cookies", 0);
// indicate we can use something other than cookies
ini_set("session.use_only_cookies", 0);
// enable transparent sid support, for url based sessions
ini_set("session.use_trans_sid", 1);
// clear cache control for session pages
ini_set("session.cache_limiter", "");
session_start();
Helper::setUp();
}

public function tearDown()
{
Helper::tearDown();
Helper::clearClass(ParseUser::$parseClassName);
Helper::clearClass(ParseSession::$parseClassName);
ParseUser::logout();
}

public static function tearDownAfterClass()
{
session_destroy();
}

public function testCookieIdChangedForAnonymous()
{
ParseClient::getStorage()->set('test', 'hi');
$noUserSessionId = session_id();
$user = ParseUser::loginWithAnonymous();
$anonymousSessionId = session_id();
$this->assertNotEquals($noUserSessionId, $anonymousSessionId);
$this->assertEquals(ParseClient::getStorage()->get('test'), 'hi');
$user->logout();
}

public function testCookieIdChangedForAnonymousToRegistered()
{
$user = ParseUser::loginWithAnonymous();
$anonymousSessionId = session_id();
ParseClient::getStorage()->set('test', 'hi');
$user->setUsername('testy');
$user->setPassword('testy');
$user->save();
$user->login('testy', 'testy');
$registeredSessionId = session_id();
$this->assertNotEquals($anonymousSessionId, $registeredSessionId);
$this->assertEquals(ParseClient::getStorage()->get('test'), 'hi');
}
}

0 comments on commit 3677852

Please sign in to comment.