Annajwaszahro
/
MIF_E31222691
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

working on cookie fingerprinting.

This commit is contained in:
Taylor Otwell 2012-09-25 08:40:29 -05:00
parent 07bec5c043
commit 110966bd6a
4 changed files with 45 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
laravel/cookie.php
View File

@ -44,9 +44,14 @@ public static function has($name)
*/ */
public static function get($name, $default = null) public static function get($name, $default = null)
{ {
if (isset(static::$jar[$name])) return static::$jar[$name]['value']; if (isset(static::$jar[$name])) return static::parse(static::$jar[$name]['value']);
return array_get(Request::foundation()->cookies->all(), $name, $default); if ( ! is_null($value = Request::foundation()->cookies->get($name)))
{
return static::parse($value);
}
return value($default);
} }
/** /**
@ -75,6 +80,8 @@ public static function put($name, $value, $expiration = 0, $path = '/', $domain
$expiration = time() + ($expiration * 60); $expiration = time() + ($expiration * 60);
} }
$value = sha1($value.Config::get('application.key')).'+'.$value;
// If the secure option is set to true, yet the request is not over HTTPS // If the secure option is set to true, yet the request is not over HTTPS
// we'll throw an exception to let the developer know that they are // we'll throw an exception to let the developer know that they are
// attempting to send a secure cookie over the insecure HTTP. // attempting to send a secure cookie over the insecure HTTP.
@ -120,4 +127,35 @@ public static function forget($name, $path = '/', $domain = null, $secure = fals
return static::put($name, null, -2000, $path, $domain, $secure); return static::put($name, null, -2000, $path, $domain, $secure);
} }
/**
* Parse a hash fingerprinted cookie value.
*
* @param string $value
* @return string
*/
protected static function parse($value)
{
$segments = explode('+', $value);
// First we will make sure the cookie actually has enough segments to even
// be valid as being set by the application. If it does not we will go
// ahead and throw exceptions now since there the cookie is invalid.
if ( ! (count($segments) >= 2))
{
throw new \Exception("Cookie was not set by application.");
}
$value = implode('+', array_slice($segments, 1));
// Now we will check if the SHA-1 hash present in the first segment matches
// the ShA-1 hash of the rest of the cookie value, since the hash should
// have been set when the cookie was first created by the application.
if ($segments[0] == sha1($value.Config::get('application.key')))
{
return $value;
}
throw new \Exception("Cookie has been modified by client.");
}
} }

2
laravel/tests/cases/auth.test.php
View File

@ -269,7 +269,7 @@ public function testLoginStoresRememberCookieWhenNeeded()
$this->assertTrue(isset(Cookie::$jar['laravel_auth_drivers_fluent_remember'])); $this->assertTrue(isset(Cookie::$jar['laravel_auth_drivers_fluent_remember']));
$cookie = Cookie::$jar['laravel_auth_drivers_fluent_remember']['value']; $cookie = Cookie::get('laravel_auth_drivers_fluent_remember');
$cookie = explode('|', Crypter::decrypt($cookie)); $cookie = explode('|', Crypter::decrypt($cookie));
$this->assertEquals(1, $cookie[0]); $this->assertEquals(1, $cookie[0]);
$this->assertEquals('foo', Cookie::$jar['laravel_auth_drivers_fluent_remember']['path']); $this->assertEquals('foo', Cookie::$jar['laravel_auth_drivers_fluent_remember']['path']);

6
laravel/tests/cases/cookie.test.php
View File

@ -67,7 +67,7 @@ protected function restartRequest()
*/ */
public function testHasMethodIndicatesIfCookieInSet() public function testHasMethodIndicatesIfCookieInSet()
{ {
Cookie::$jar['foo'] = array('value' => 'bar'); Cookie::$jar['foo'] = array('value' => sha1('bar'.Config::get('application.key')).'+bar');
$this->assertTrue(Cookie::has('foo')); $this->assertTrue(Cookie::has('foo'));
$this->assertFalse(Cookie::has('bar')); $this->assertFalse(Cookie::has('bar'));
@ -82,7 +82,7 @@ public function testHasMethodIndicatesIfCookieInSet()
*/ */
public function testGetMethodCanReturnValueOfCookies() public function testGetMethodCanReturnValueOfCookies()
{ {
Cookie::$jar['foo'] = array('value' => 'bar'); Cookie::$jar['foo'] = array('value' => sha1('bar'.Config::get('application.key')).'+bar');
$this->assertEquals('bar', Cookie::get('foo')); $this->assertEquals('bar', Cookie::get('foo'));
Cookie::put('bar', 'baz'); Cookie::put('bar', 'baz');
@ -97,7 +97,7 @@ public function testGetMethodCanReturnValueOfCookies()
public function testForeverShouldUseATonOfMinutes() public function testForeverShouldUseATonOfMinutes()
{ {
Cookie::forever('foo', 'bar'); Cookie::forever('foo', 'bar');
$this->assertEquals('bar', Cookie::$jar['foo']['value']); $this->assertEquals(sha1('bar'.Config::get('application.key')).'+bar', Cookie::$jar['foo']['value']);
// Shouldn't be able to test this cause while we indicate -2000 seconds // Shouldn't be able to test this cause while we indicate -2000 seconds
// cookie expiration store timestamp. // cookie expiration store timestamp.

2
laravel/tests/cases/session.test.php
View File

@ -372,7 +372,7 @@ public function testSaveMethodSetsCookieWithCorrectValues()
$cookie = Cookie::$jar[Config::get('session.cookie')]; $cookie = Cookie::$jar[Config::get('session.cookie')];
$this->assertEquals('foo', $cookie['value']); $this->assertEquals(sha1('foo'.Config::get('application.key')).'+foo', $cookie['value']);
// Shouldn't be able to test this cause session.lifetime store number of minutes // Shouldn't be able to test this cause session.lifetime store number of minutes
// while cookie expiration store timestamp when it going to expired. // while cookie expiration store timestamp when it going to expired.
// $this->assertEquals(Config::get('session.lifetime'), $cookie['expiration']); // $this->assertEquals(Config::get('session.lifetime'), $cookie['expiration']);