silverstripe-framework: [CONTROL] Session invalidation because of UA String | One Plus Devices
Affected Version
Tested on 4.0.3
phpunit/phpunit 5.7.27 The PHP Unit Testing framework.
silverstripe-themes/simple dev-master c2fdd14 The SilverStripe simple theme (default SilverStripe 3 theme)
silverstripe/recipe-cms 1.0.3 SilverStripe recipe for fully featured page and asset content editing
silverstripe/recipe-plugin 1.1.0 Helper plugin to install SilverStripe recipes
silverstripe/tagfield 2.0.0 Tag field for Silverstripe
But potentially affects all previous versions.
Description
One Plus devices (current and old) send different User Agent strings for GET and POST requests which causes session validation to fail because of,
vendor\silverstripe\framework\src\Control\Session.php
/**
* Init this session instance before usage
*
* @param HTTPRequest $request
*/
public function init(HTTPRequest $request)
{
if (!$this->isStarted()) {
$this->start($request);
}
// Funny business detected!
if (isset($this->data['HTTP_USER_AGENT'])) {
if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) {
$this->clearAll();
$this->destroy();
$this->start($request);
}
}
}
It’s a documented bug found in their forum, but a resolution probably isn’t close, https://forums.oneplus.com/threads/chrome-user-agent-is-different-when-making-an-post-request.691815/ https://forums.oneplus.com/threads/inconsistent-user-agent-string-chrome-for-android-ajax-requests.796666/
Steps to Reproduce
- Logging into the CMS with a One Plus device and moving between pages.
- Additionally, adding a logging event to the Sessions.php file for monitoring the UA string between requests.
Debug Data
Here are the strings between requests for One Plus 5 and One Plus 3T, respectively,
GET: Mozilla/5.0 (Linux; Android 8.1.0; ONEPLUS A5000 Build/OPM1.171019.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36
POST: Mozilla/5.0 (Linux; Android 8.1.0; Build/OPM1.171019.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36
GET: Mozilla/5.0 (Linux; Android 8.0.0; ONEPLUS A3003 Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36
POST: Mozilla/5.0 (Linux; Android 8.0.0; Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.137 Mobile Safari/537.36
Proposed Fix
We resolved this for our e-commerce systems by creating a configuration flag that allows disabling UA validation for session management. Another potential fix would be to drop UA validation completely? They’re inconsistent and borky.
Pull requests
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 18 (13 by maintainers)
I’m definitely in support of removing the session invalidation on UA change as I’ve never thought of it as being a secure way to invalidate the session. It is essentially an HTTP header that anyone can spoof, so why should we trust it or give it weight over any other user input?
As much as I really don’t think UA protection for session hijacking is worth the effort; OWASP does recommend it, so “privacy” browsers should be aware of this and accept it.
[1] https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Binding_the_Session_ID_to_Other_User_Properties
They do also suggest IP address change as another indicator, which I think is completely mental given the prevalence of mobile phones and the likelihood that they could switch from WiFi to Cell data at any time.
Random UA is a way to protect browser against fingerprinting and SS won’t work with privacy enhanced browsers