Forum

Thread tagged as: Problem, Members

Using HTTP_USER_AGENT to generate a HTTP Footprint

Here's the scenario...

  1. MP3 asset is uploaded to a secure bucket (e.g. /myhost/secure)
  2. Add to content region with template:
<audio controls preload="auto">
    <source src="<perch:content id="audio-mp3" type="file" label="MP3 file" />">
    ...
</audio>
  1. Log in as valid perch member
  2. Visit page to listen to audio on Safari (OSX or iOS)
  3. Session is killed, audio tag shows 'error'
  4. Click on any other link and receive a prompt to login again

Safari uses the following UA for normal HTTP calls:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4

But uses this UA for audio sources:

AppleCoreMedia/1.0.0.15D21 (Macintosh; U; Intel Mac OS X 10_11_3; en_us)

PerchMembers_Auth::_get_http_footprint() uses HTTP_USER_AGENT which changes between requests for the same browser. PerchMembers_Auth::recover_session() then destroys the session :(

Interim remedy is to use 'blah' as the footprint string so that is doesn't change when using Safari. Doesn't appear to be an issue with Firefox, Chrome, et al.

If we're trying to avoid session fixation can we use a combination of other vars (e.g. REMOTE_ADDR, random token) instead?

Brendan Markham

Brendan Markham 0 points

  • 5 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

It was attempting to prevent session fixation, by making sure the request is still coming from the same user. In effect, it's working, as the UA has changed. Just not working how we'd like.

I'm not sure REMOTE_ADDR is a solution here, as that could validly change between requests, and could also be the same for an attacker at the same location.

Disabling it doesn't put you at risk, it just takes out a further step designed to help protect you. (You're not more likely to crash your car because it doesn't have airbags. But airbags are a good idea.)

In the meantime I'll see what I can come up with.

Thanks Drew :)