Contrib.social

Make session unique to user's user agent

Open on Drupal.org →
Created on 5 February 2022, almost 3 years ago
Updated 3 October 2023, about 1 year ago

Problem/Motivation

i want to make more secure drupal 8 session. so even if user gets user cookie by MITM attack they won't be able to get user account access.

Steps to reproduce

i used two browser and logged in to drupal application 8 with different account.
using cookie editor and took user cookie and saved that cookie into different user account using cookie editor.
i was able to get access of other user account.

Proposed resolution

i want to bind user session cookie to user agent (user agent hash) to make cookie more secure,
so that even attacker gets user cookie they won't be able to access other users account

(This is tried to bind session with solution https://www.drupal.org/files/issues/session.inc_3.patch but it does not worked)

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

2.0

Component

Code

Created by

anuj423

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago
    🇭🇺Hungary fox mulder

    @anuj423: where did you place this code in AutologoutManager.php exactly?

  • Comment about 1 year ago
    🇭🇺Hungary fox mulder

    I found:
    autologout/src/AutologoutManager.php

    
  public function logout() {
    $user = $this->currentUser;
    if ($this->autoLogoutSettings->get('use_watchdog')) {
      $this->logger->info(
        'Session automatically closed for %name by autologout.',
        ['%name' => $user->getAccountName()]
      );
    }

    // Destroy the current session.
    if (!array_key_exists('HTTP_USER_AGENT', $_SESSION)) {
      $_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
    }

    if ($_SESSION['HTTP_USER_AGENT'] != $_SERVER['HTTP_USER_AGENT']) {
      $this->moduleHandler->invokeAll('user_logout', [$user]);
      $this->session->destroy();
      $user->setAccount(new AnonymousUserSession());
    }
  }
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024