Session: Add protection against session fixation attack.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2382 44740490-163a-0410-bde0-09ae8108e29a

lib/SimpleSAML/Session.php

@@ -104,6 +104,16 @@ class SimpleSAML_Session {
 	private $associations = array();
 
 
+	/**
+	 * The authentication token.
+	 *
+	 * This token is used to prevent session fixation attacks.
+	 *
+	 * @var string|NULL
+	 */
+	private $authToken;
+
+
 	/**
 	 * private constructor restricts instantiaton to getInstance()
 	 */
@@ -360,6 +370,10 @@ class SimpleSAML_Session {
 		$this->authState = $authState;
 
 		$this->sessionstarted = time();
+
+		$this->authToken = SimpleSAML_Utilities::generateID();
+		$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
+		$sessionHandler->setCookie('SimpleSAMLAuthToken', $this->authToken);
 	}
 
 
@@ -785,6 +799,17 @@ class SimpleSAML_Session {
 			return NULL;
 		}
 
+		if ($sessionData->authToken !== NULL) {
+			if (!isset($_COOKIE['SimpleSAMLAuthToken'])) {
+				SimpleSAML_Logger::warning('Missing AuthToken cookie.');
+				return NULL;
+			}
+			if ($_COOKIE['SimpleSAMLAuthToken'] !== $sessionData->authToken) {
+				SimpleSAML_Logger::warning('Invalid AuthToken cookie.');
+				return NULL;
+			}
+		}
+
 		return $sessionData;
 	}