|
From: <no...@so...> - 2002-10-13 18:49:45
|
Patches item #622686, was opened at 2002-10-13 18:49 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=403613&aid=622686&group_id=31885 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Giancarlo Pinerolo (pingus) Assigned to: Nobody/Anonymous (nobody) Summary: session4 to remove *any* sid from url Initial Comment: I applied this already to session.inc, and session4 misses it The explaination is not easy, but there are cases, and with php4 there are a lot more than with plain old php3lib, that one can pass over a 'known sessiod id' to some cookie-enabled client, ad this will take precedence over the availability, and inthe past even existance, of a cookie. Not cleaning completely the session id string from the url makes solving that problematic. In any case when we want to chop away eg ?Example_Session=xyz we are not interested at what xyz contains, are we? We want to chop that away i any case. session4.inc method url() 384,385c384 < # "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)", < "([&?])".quotemeta(urlencode($this->name))."=(.)*(&|$)", # we clean any(also --- > "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)", Then I am really not expert with regex, but the concept still applies. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=403613&aid=622686&group_id=31885 |
