Merge pull request #127 from Schlaumeier5/91-session-validation

SessionManager improvements

Author: Schlaumeier5

src/main/java/de/igslandstuhl/database/server/webserver/SessionManager.java

@@ -14,9 +14,9 @@ public class SessionManager {
      * A map to store session IDs and their associated usernames.
      * This is a simple in-memory session store.
      */
-    private Map<Session, String> sessionUsers = new HashMap<>();
-    private Map<Session, Instant> lastActivity = new HashMap<>();
-    private Map<Session, Integer> requestCount = new HashMap<>();
+    private SessionStorage<String> sessionUsers = new SessionStorage<>();
+    private SessionStorage<Instant> lastActivity = new SessionStorage<>();
+    private SessionStorage<Integer> requestCount = new SessionStorage<>();
 
     /**
      * After this duration, sessions expire (are removed from the session store). It is measured in seconds.
@@ -65,18 +65,28 @@ private void cleanSecondsJob() {
     }
 
     public boolean validateSession(HttpRequest request) {
-        Session session = getSession(request);
-        lastActivity.put(session, Instant.now());
+        lastActivity.set(request, Instant.now());
 
-        Integer requests = requestCount.get(session);
+        Integer requests = requestCount.get(request);
         int count = requests == null ? 0 : requests;
         count++;
-        requestCount.put(session, count);
+        requestCount.set(request, count);
         if (count > maxRequests && !getSessionUser(request).isAdmin()) {
             System.out.println("Ratelimit!");
             return false;
         }
 
+        String userAgent = request.getUserAgent();
+        if (!getSession(request).getUserAgent().equals(userAgent)) {
+            System.err.println("SEVERE WARNING: POTENTIAL ATTACK: faked session id (device changed), for user " + getSessionUser(request));
+            return false;
+        }
+        String ip = request.getIP();
+        if (!getSession(request).getIpAddress().equals(ip)) {
+            System.err.println("SEVERE WARNING: POTENTIAL ATTACK: faked session id (ip address changed) for user " + getSessionUser(request));
+            return false;
+        }
+
         return true;
     }
 
@@ -120,12 +130,9 @@ public User getSessionUser(HttpRequest request) {
      */
     public void addSessionUser(Session session, String username) {
         // Remove all previous sessions for this user (see #51)
-        if (sessionUsers.values().contains(username)) {
-            sessionUsers.keySet().stream()
-            .filter((k) -> sessionUsers.get(k).equals(username))
-            .toList() // Convert to list to prevent ConcurrentModificationException
-            .forEach((k) -> sessionUsers.remove(k));
+        if (sessionUsers.contains(username)) {
+            sessionUsers.remove(username);
         }
-        sessionUsers.put(session, username);
+        sessionUsers.set(session, username);
     }
 }

src/main/java/de/igslandstuhl/database/server/webserver/SessionStorage.java

@@ -0,0 +1,40 @@
+package de.igslandstuhl.database.server.webserver;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import de.igslandstuhl.database.server.Server;
+import de.igslandstuhl.database.server.webserver.requests.HttpRequest;
+
+public class SessionStorage<T> {
+    private final Map<Session, T> intern = new HashMap<>();
+
+    public T get(Session session) {
+        return intern.get(session);
+    }
+    public T get(HttpRequest request) {
+        return intern.get(Server.getInstance().getWebServer().getSessionManager().getSession(request));
+    }
+    public void set(Session session, T object) {
+        intern.put(session, object);
+    }
+    public void set(HttpRequest request, T object) {
+        intern.put(Server.getInstance().getWebServer().getSessionManager().getSession(request), object);
+    }
+    public void remove(Session session) {
+        intern.remove(session);
+    }
+    public void remove(Session session, T value) {
+        intern.remove(session,value);
+    }
+    public void remove(T value) {
+        intern.keySet().stream().filter((key) -> intern.get(key) == value)
+        .toList().forEach((k) -> remove(k));
+    }
+    public boolean contains(T value) {
+        return intern.values().contains(value);
+    }
+    public void clear() {
+        intern.clear();
+    }
+}