@@ -67,14 +67,31 @@ public function __construct(
6767
6868 if (isset ($ _COOKIE 'sid ' ]) === true ) {
6969 self ::$ sidhtmlspecialchars ($ _COOKIE 'sid ' ]);
70+
71+ //Part 0 random string without session pw
72+ //Part 1 remote adds + host with session pw
73+ //Part 2 random string with session pw
7074 $ testSessionexplode ('- ' , self ::$ sid
7175 }
7276
7377 //Don't allow session ids from user.
7478 if (is_array ($ testSessiontrue && count ($ testSession1 ) {
75- $ testMD5hash ('sha1 ' , $ testSession0 ] . $ this sessionpassword );
79+ $ testSessionPwhash ('sha1 ' , $ testSession0 ] . $ this sessionpassword );
80+
81+ if ($ testSessionPw$ testSession2 ]) {
82+ error_log ("failed session pw test of tmp " );
83+ self ::makeSID ();
84+ }
85+
86+ //test remote host info
87+ $ session_string$ this request instanceof CliRequest
88+ ? self ::get_client_ip () . $ _SERVER 'HTTP_HOST ' ]
89+ : 'cli ' ;
90+
91+ $ testSessionHosthash ('sha1 ' , $ session_string$ this sessionpassword );
7692
77- if ($ testMD5$ testSession1 ]) {
93+ if ($ testSessionHost$ testSession1 ]) {
94+ error_log ("failed ip and host check " );
7895 self ::makeSID ();
7996 }
8097 } else {
@@ -89,11 +106,11 @@ public function __construct(
89106 'leantime.core.httpkernel.handle.beforeSendResponse ' ,
90107 fn ($ responsetap ($ responsefn (Response $ response$ responseheaders ->setCookie (
91108 Cookie::create ('sid ' )
92- ->withValue (self ::$ sid
93- ->withExpires (time () + $ configsessionExpiration )
94- ->withPath ('/ ' )
95- ->withSameSite ('Lax ' )
96- ->withSecure (true )
109+ ->withValue (self ::$ sid
110+ ->withExpires (time () + $ configsessionExpiration )
111+ ->withPath ('/ ' )
112+ ->withSameSite ('Strict ' )
113+ ->withSecure (true )
97114 ))
98115 );
99116 }
@@ -119,12 +136,12 @@ public static function getSID(): string
119136 private function makeSID (): void
120137 {
121138 $ session_string$ this request instanceof CliRequest
122- ? $ _SERVER 'REMOTE_ADDR ' ]
139+ ? self :: get_client_ip () . $ _SERVER 'HTTP_HOST ' ]
123140 : 'cli ' ;
124141
125142 $ tmphash ('sha1 ' , mt_rand (32 , 32 ) . $ session_stringtime ());
126143
127- self ::$ sid$ tmp'- ' . hash ('sha1 ' , $ tmp$ this sessionpassword );
144+ self ::$ sid$ tmp'- ' . hash ('sha1 ' , $ session_string . $ this -> sessionpassword ) . ' - ' . hash ( ' sha1 ' , $ tmp$ this sessionpassword );
128145 }
129146
130147 /**
@@ -143,12 +160,33 @@ public static function destroySession(): void
143160 'leantime.core.httpkernel.handle.beforeSendResponse ' ,
144161 fn ($ responsetap ($ responsefn (Response $ response$ responseheaders ->setCookie (
145162 Cookie::create ('sid ' )
146- ->withValue ('' )
147- ->withExpires (time () - 42000 )
148- ->withPath ('/ ' )
149- ->withSameSite ('Strict ' )
150- ->withSecure (true )
163+ ->withValue ('' )
164+ ->withExpires (time () - 42000 )
165+ ->withPath ('/ ' )
166+ ->withSameSite ('Strict ' )
167+ ->withSecure (true )
151168 ))
152169 );
153170 }
171+
172+ private static function get_client_ip ()
173+ {
174+ $ ipaddress'' ;
175+ if (getenv ('HTTP_CLIENT_IP ' )) {
176+ $ ipaddressgetenv ('HTTP_CLIENT_IP ' );
177+ } elseif (getenv ('HTTP_X_FORWARDED_FOR ' )) {
178+ $ ipaddressgetenv ('HTTP_X_FORWARDED_FOR ' );
179+ } elseif (getenv ('HTTP_X_FORWARDED ' )) {
180+ $ ipaddressgetenv ('HTTP_X_FORWARDED ' );
181+ } elseif (getenv ('HTTP_FORWARDED_FOR ' )) {
182+ $ ipaddressgetenv ('HTTP_FORWARDED_FOR ' );
183+ } elseif (getenv ('HTTP_FORWARDED ' )) {
184+ $ ipaddressgetenv ('HTTP_FORWARDED ' );
185+ } elseif (getenv ('REMOTE_ADDR ' )) {
186+ $ ipaddressgetenv ('REMOTE_ADDR ' );
187+ } else {
188+ $ ipaddress'UNKNOWN ' ;
189+ }
190+ return $ ipaddress
191+ }
154192}
0 commit comments