From 36778524d0eabc001df4877b9c4d903cb06a5c09 Mon Sep 17 00:00:00 2001 From: Arthur Cinader <700572+acinader@users.noreply.github.com> Date: Fri, 28 Sep 2018 16:57:15 -0700 Subject: [PATCH] Regenerate session id when changing the current user to avoid session fixation. --- src/Parse/ParseUser.php | 4 ++ tests/Parse/ParseSessionFixationTest.php | 67 ++++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 tests/Parse/ParseSessionFixationTest.php diff --git a/src/Parse/ParseUser.php b/src/Parse/ParseUser.php index e559b176..57b35c07 100644 --- a/src/Parse/ParseUser.php +++ b/src/Parse/ParseUser.php @@ -500,6 +500,10 @@ protected function handleSaveResult($makeCurrent = false) unset($this->serverData['sessionToken']); } if ($makeCurrent) { + if (session_id()) { + // see: https://www.owasp.org/index.php/Session_fixation + session_regenerate_id(); + } static::$currentUser = $this; static::saveCurrentUser(); } diff --git a/tests/Parse/ParseSessionFixationTest.php b/tests/Parse/ParseSessionFixationTest.php new file mode 100644 index 00000000..30c65563 --- /dev/null +++ b/tests/Parse/ParseSessionFixationTest.php @@ -0,0 +1,67 @@ +set('test', 'hi'); + $noUserSessionId = session_id(); + $user = ParseUser::loginWithAnonymous(); + $anonymousSessionId = session_id(); + $this->assertNotEquals($noUserSessionId, $anonymousSessionId); + $this->assertEquals(ParseClient::getStorage()->get('test'), 'hi'); + $user->logout(); + } + + public function testCookieIdChangedForAnonymousToRegistered() + { + $user = ParseUser::loginWithAnonymous(); + $anonymousSessionId = session_id(); + ParseClient::getStorage()->set('test', 'hi'); + $user->setUsername('testy'); + $user->setPassword('testy'); + $user->save(); + $user->login('testy', 'testy'); + $registeredSessionId = session_id(); + $this->assertNotEquals($anonymousSessionId, $registeredSessionId); + $this->assertEquals(ParseClient::getStorage()->get('test'), 'hi'); + } +}