[FEATURE] Check HTTP_USER_AGENT with \Auth::check()

[rickmacgillis]

\Session::rotate() offers excellent protection from session hijacking when used, but it does have one problem that it can't solve. If an attacker gets hold of a session cookie from an account holder while the account holder is logged in, the account is still susceptible to session hijacking, as FuelPHP only natively checks rotates the session ID upon login. (I've designed my software to rotate the ID on page load.)

Even with session rotations on each page load, the session is open to hijacking when the logged in user is idle, and the session cookie hasn't timed out. If an attacker has the cookie, they could easily make the window of opportunity during some attack vectors. To further reduce the attack surface, consider checking $_SERVER['HTTP_USER_AGENT']. If the attacker's user agent is not the same as the one stored in the logged in user's session, the session is destroyed, and both the attacker and account holder must log in again.

PROPOSED SOLUTION

1. On login, add \Session::set('user_agent', $_SERVER['HTTP_USER_AGENT']);
2. On logout, add \Session::delete('user_agent');
3. On perform_check (or the public check()), add:

$user_agent = \Session::get('user_agent', null);
if (empty($user_agent) || $user_agent !== $_SERVER['HTTP_USER_AGENT']) {
    \Auth::logout();
}

[WanWizard]

The session cookie is protected by both IP and User Agent checks, and the UA check is enabled by default in the config:

// check for an IP address match after loading the cookie (optional, default = false)
'match_ip'          => false,
// check for a user agent match after loading the cookie (optional, default = true)
'match_ua'          => true,

so this already happens, unless you have disabled it.