Session verificaton helper function #19

New Issue

Closed

opened 2024-08-22 09:22:40 +00:00 by nu · 2 comments

nu commented

2024-08-22 09:22:40 +00:00

Owner

Helper name should probably be session_is_valid or session_verify. Should output 1 if session is valid and undef if it is not.

It should check the following:

Is a session with this ID even present in the database?
Is the session with this ID tied to the logged in user?
Is it still within the timeframe that the session would be valid? [there should later be a periodic session clearing script that makes this check a bit redundant]
If session is bound to IP, does the user's current IP match? [IP-bound sessions not currently implemented]

If any of these are FALSE, then the session cookie and [if applicable] DB entry should also be destroyed.

Session should be verified before user is allowed to perform any actions only a logged in user would be able to perform, i.e. making a new thread or post, editing their profile, viewing a userclass-restricted forum [or threads within], etc.

Code should be written to allow multiple sessions per user, i.e. if one person is logged in across two devices (desktop and mobile or etc)

Helper name should probably be `session_is_valid` or `session_verify`. Should output `1` if session is valid and `undef` if it is not. It should check the following: 1. Is a session with this ID even present in the database? 2. Is the session with this ID tied to the logged in user? 3. Is it still within the timeframe that the session would be valid? [there should later be a periodic session clearing script that makes this check a bit redundant] 4. If session is bound to IP, does the user's current IP match? [IP-bound sessions not currently implemented] If any of these are FALSE, then the session cookie and [if applicable] DB entry should also be destroyed. Session should be verified before user is allowed to perform any actions only a logged in user would be able to perform, i.e. making a new thread or post, editing their profile, viewing a userclass-restricted forum [or threads within], etc. Code should be written to allow multiple sessions per user, i.e. if one person is logged in across two devices (desktop and mobile or etc)

nu added this to the CharmBoard v1.0 milestone 2024-08-22 09:22:40 +00:00

nu added the

security

improvement

labels 2024-08-22 09:22:40 +00:00

nu added this to the Workable alpha/beta project 2024-08-22 09:22:40 +00:00

nu commented

2024-08-22 09:40:34 +00:00

Author

Owner

Should probably run on index too, since that will effect listing of userclass-restricted forums (once that feature is implemented)

And before even calling $self->session_validate there should first be a check that the user is even logged in at all, somewhat like this maybe:

if ($self->session('is_auth') == 1) {
  $self->session_verify;
};

(I'm thinking session destruction will be built into session_verify instead of needing to be called separately)

Should probably run on index too, since that will effect listing of userclass-restricted forums (once that feature is implemented) And before even calling `$self->session_validate` there should first be a check that the user is even logged in at all, somewhat like this maybe: ```Perl if ($self->session('is_auth') == 1) { $self->session_verify; }; ``` (I'm thinking session destruction will be built into `session_verify` instead of needing to be called separately)

nu referenced this issue from a commit

2024-08-23 03:47:06 +00:00

Add session verification helper (#19)

nu commented

2024-08-24 04:53:26 +00:00

Author

Owner

I think its fair to say this is done, despite the IP binding check not being implemented since, well, IP binding of sessions isn't implemented at all right now!

I think its fair to say this is done, despite the IP binding check not being implemented since, well, IP binding of sessions isn't implemented *at all* right now!

nu closed this issue

2024-08-24 04:53:26 +00:00