[Phplib-trackers] [ phplib-Patches-472136 ] Bug in session.inc with HTTP_POST_VARS
Brought to you by:
nhruby,
richardarcher
From: <no...@so...> - 2002-01-25 17:05:52
|
Patches item #472136, was opened at 2001-10-17 09:41 You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=472136&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Oliver Kurz (ojk) Assigned to: Nobody/Anonymous (nobody) Summary: Bug in session.inc with HTTP_POST_VARS Initial Comment: We realized in one of our projects a little "bug" in the file session.inc (PHPLib 7.2c). If you set the mode to cookie and the fallbackmode to get and then sending the session__id with post through a html-form, than your session is lost. The reason is, the function release_token only looks in $HTTP_GET_VARS for the session_id, if fallbackmode is necessary. But not in $HTTP_POST_VARS, but this could also be possible, if no cookies are allowed and the session_id is transmitted by a hidden form field. We fixed the function as you can see at the bottom of this text. Now the function looks for fallbackmode also in the post-vars for the session_id, if it isn't set in cookie- or get-vars. // Fix function release_token(){ // Old Version // global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_HOST, $HTTPS; // New Version global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_HOST, $HTTPS, $HTTP_POST_VARS; if ( isset($this->fallback_mode) && ( "get" == $this->fallback_mode ) && ( "cookie" == $this->mode ) && ( ! isset($HTTP_COOKIE_VARS[$this->name]) ) ) { // Old Version // if ( isset($HTTP_GET_VARS[$this->name]) ) { // New Version if ( isset($HTTP_GET_VARS[$this->name]) || isset($HTTP_POST_VARS[$this->name]) ) { $this->mode = $this->fallback_mode; } else { header("Status: 302 Moved Temporarily"); $this->get_id($sid); $this->mode = $this->fallback_mode; if( isset($HTTPS) && $HTTPS == 'on' ){ ## You will need to fix suexec as well, if you use Apache and CGI PHP $PROTOCOL='https'; } else { $PROTOCOL='http'; } header("Location: ". $PROTOCOL. "://".$HTTP_HOST.$this->self_url()); exit; } } } ---------------------------------------------------------------------- Comment By: Dieter Steinwedel (dsteinwe) Date: 2002-01-25 09:05 Message: Logged In: YES user_id=373951 I have written a patch for submitted post_vars. If you are interested in, look for the title "Patch for auth/session with post_vars". Dieter ---------------------------------------------------------------------- Comment By: Gaetano Giunta (ggiunta) Date: 2002-01-10 04:28 Message: Logged In: YES user_id=114789 Well, fallback='get' gives you a clear idea of supported fallback methods. Instead of adding post support this way another (cleaner ?) idea would be to add a 'post' and 'both' options to fallback. The main problem is that there is no easy way in PHP to send POST data to a web page (there are hacks involving use of sockets, but I dunno if they're bulletproof). And the id data needs to be sent not only expressly by the user when clicking on forms with hidden fields, but also by phplib itself (e.g. it adds it to urls with sess_url()). My best guess is the POST only method is completely impracticable, so maybe your hack is the best option in the end) ---------------------------------------------------------------------- You can respond by visiting: http://sourceforge.net/tracker/?func=detail&atid=403613&aid=472136&group_id=31885 |