From 8f3ab1062c0c55bf70240849bb2700f07b9a8425 Mon Sep 17 00:00:00 2001 From: Thomas Date: Thu, 10 Jul 2014 08:49:21 -0700 Subject: [PATCH] Removing user agent and remote IP from session hash string computation and pg session storage. Including those is pretty much bullshit since they are so easy to fake. It isn't worth the extra complexity or storage space. --- pg-sessions.lisp | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) diff --git a/pg-sessions.lisp b/pg-sessions.lisp index 19250b7..40cd335 100644 --- a/pg-sessions.lisp +++ b/pg-sessions.lisp @@ -37,10 +37,6 @@ :documentation "The session string encodes enough data to safely retrieve this session. It is sent to the browser as a cookie value or as a GET parameter.") - (user-agent :initarg :user-agent - :accessor pg-session-user-agent) - (remote-addr :initarg :remote-addr - :accessor pg-session-remote-addr) (session-start :col-type bigint :initform (get-universal-time) :accessor pg-session-start) (last-click :col-type bigint :initform (get-universal-time) :accessor pg-session-last-click :documentation "The last time this session was used.") @@ -62,9 +58,7 @@ stored in the postmodern database.")) (loop for code across (md5:md5sum-string string) do (format s "~2,'0x" code)))) -(defun encode-session-string (id user-agent remote-addr start) - "Creates a uniquely encoded session string based on the values ID, -USER-AGENT, and START" +(defun encode-session-string (id start) ;; *PG-SESSION-SECRET* is used twice due to known theoretical ;; vulnerabilities of MD5 encoding (md5-hex (concatenate 'string @@ -72,18 +66,12 @@ USER-AGENT, and START" (md5-hex (format nil "~A~A~@[~A~]~@[~A~]~A" *pg-session-secret* id - (and hunchentoot:*use-user-agent-for-sessions* - user-agent) - (and hunchentoot:*use-remote-addr-for-sessions* - remote-addr) start))))) (defun stringify-session (session) "Creates a string representing of the SESSION object SESSION. See ENCODE-SESSION-STRING." (encode-session-string (pg-session-id session) - (pg-session-user-agent session) - (pg-session-remote-addr session) (pg-session-start session))) (defun session-too-old-p (session) @@ -122,9 +110,7 @@ case the function will also send a session cookie to the browser." (return-from pg-start-session session)) (setf session (apply #'make-dao - (append `(,*session-type* - :user-agent ,(hunchentoot:user-agent hunchentoot:*request*) - :remote-addr ,(hunchentoot:real-remote-addr hunchentoot:*request*)) + (append `(,*session-type*) args))) (setf (hunchentoot:session hunchentoot:*request*) session) (setf (pg-session-string session) (stringify-session session)) @@ -145,9 +131,6 @@ will not create a new one." (hunchentoot:log-message* :info "Session with ID ~A too old" id)) (pg-remove-session session) (setq session nil)) - (when session - (setf (pg-session-user-agent session) (hunchentoot:user-agent request) - (pg-session-remote-addr session) (hunchentoot:real-remote-addr request))) session)) (defmethod hunchentoot:session-verify ((request hunchentoot:request)) @@ -168,17 +151,13 @@ will not create a new one." (destructuring-bind (id-string session-string) (cl-ppcre:split ":" session-identifier :limit 2) (let* ((id (parse-integer id-string)) - (session (get-stored-session id request)) - (user-agent (hunchentoot:user-agent request)) - (remote-addr (hunchentoot:remote-addr request))) + (session (get-stored-session id request))) (cond ((and session (string= session-string (pg-session-string session)) (string= session-string (encode-session-string id - user-agent - (hunchentoot:real-remote-addr request) (pg-session-start session)))) ;; the session key presented by the client is valid (setf (pg-session-last-click session) (get-universal-time))