[Phplib-commit] CVS: php-lib-stable/php session.inc,1.16,1.17
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-commit] CVS: php-lib-stable/php session.inc,1.16,1.17
|
From: Giancarlo P. <pi...@us...> - 2002-06-03 04:35:54
|
Update of /cvsroot/phplib/php-lib-stable/php
In directory usw-pr-cvs1:/tmp/cvs-serv16406
Modified Files:
session.inc
Log Message:
fallback_mode only really w/o cookies, switch to permit creation of IDs provided
by the user
Index: session.inc
===================================================================
RCS file: /cvsroot/phplib/php-lib-stable/php/session.inc,v
retrieving revision 1.16
retrieving revision 1.17
diff -C2 -d -r1.16 -r1.17
*** session.inc 29 May 2002 15:11:20 -0000 1.16
--- session.inc 3 Jun 2002 04:35:50 -0000 1.17
***************
*** 20,24 ****
var $fallback_mode; ## If this doesn't work, fall back...
var $lifetime = 0; ## 0 = do session cookies, else minutes
-
var $cookie_domain = ""; ## If set, the domain for which the
## session cookie is set.
--- 20,23 ----
***************
*** 34,37 ****
--- 33,38 ----
var $allowcache_expire = 1440; ## If you allowcache, data expires in this
## many minutes.
+ var $block_alien_sid = true; ## do not accept IDs in URL for session creation
+
var $that_class = ""; ## Name of data storage container
***************
*** 112,115 ****
--- 113,124 ----
}
+ ### do not accept user provided ids for creation
+ if($id != "" && $this->block_alien_sid) { # somehow an id was provided by the user
+ if($this->that->ac_get_value($id, $this->name) == "") {
+ # no - the id doesn't exist in the database: Ignore it!
+ $id = "";
+ }
+ }
+
if ( "" == $id ) {
$this->newid=true;
***************
*** 129,140 ****
if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) {
$HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace(
! "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)",
"\\1", $HTTP_SERVER_VARS["QUERY_STRING"]);
}
break;
case "get":
if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) {
$HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace(
! "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)",
"\\1", $HTTP_SERVER_VARS["QUERY_STRING"]);
}
--- 138,159 ----
if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) {
$HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace(
! "(^|&)".quotemeta(urlencode($this->name))."=(.)*(&|$)", ## subst *any* preexistent sess
"\\1", $HTTP_SERVER_VARS["QUERY_STRING"]);
}
break;
case "get":
+ #we don't trust user input; session in url doesn't
+ #mean cookies are disabled
+ if ($this->newid &&( 0 == $this->lifetime )) { ## even if not a newid
+ SetCookie($this->name, $id, 0, "/", $this->cookie_domain);
+ }
+ if ( 0 < $this->lifetime ) {
+ SetCookie($this->name, $id, time()+$this->lifetime*60, "/", $this->cookie_domain);
+ }
+
if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) {
$HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace(
! # "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)",
! "(^|&)".quotemeta(urlencode($this->name))."=(.)*(&|$)", ## subst *any* preexistent sess
"\\1", $HTTP_SERVER_VARS["QUERY_STRING"]);
}
***************
*** 184,188 ****
// Remove existing session info from url
$url = ereg_replace(
! "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)",
"\\1", $url);
--- 203,208 ----
// Remove existing session info from url
$url = ereg_replace(
! # "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)",
! "([&?])".quotemeta(urlencode($this->name))."=(.)*(&|$)", # we clean any(also bogus) sess in url
"\\1", $url);
***************
*** 387,424 ****
global $HTTP_COOKIE_VARS, $HTTP_POST_VARS, $HTTP_GET_VARS,
$HTTP_SERVER_VARS;
!
if ( isset($this->fallback_mode)
&& ("get" == $this->fallback_mode)
&& ("cookie" == $this->mode)
&& (! isset($HTTP_COOKIE_VARS[$this->name])) ) {
! // Looks like no cookie here - check GET/POST params
! if ( isset($HTTP_GET_VARS[$this->name])
! || isset($HTTP_POST_VARS[$this->name]) ) {
! // Session info passed via GET/POST - go to fallback_mode
! $this->mode = $this->fallback_mode;
! } else {
! // It seems to be the first load of this page -
! // no cookie and no GET/POST params
!
! // Generate session ID and setup cookie.
! $this->get_id($sid);
!
! // Next line is to generate correct self_url() later
! $this->mode = $this->fallback_mode;
!
if ( isset($HTTP_SERVER_VARS["HTTPS"])
! && $HTTP_SERVER_VARS["HTTPS"] == 'on' ) {
! ## You will need to fix suexec as well, if you
! ## use Apache and CGI PHP
! $PROTOCOL = 'https';
} else {
! $PROTOCOL = 'http';
}
header("Status: 302 Moved Temporarily");
header("Location: " . $PROTOCOL . "://" .
! $HTTP_SERVER_VARS["HTTP_HOST"] . $this->self_url());
exit;
! }
}
}
--- 407,437 ----
global $HTTP_COOKIE_VARS, $HTTP_POST_VARS, $HTTP_GET_VARS,
$HTTP_SERVER_VARS;
! # set the mode for this run
if ( isset($this->fallback_mode)
&& ("get" == $this->fallback_mode)
&& ("cookie" == $this->mode)
&& (! isset($HTTP_COOKIE_VARS[$this->name])) ) {
+ $this->mode = $this->fallback_mode;
+ }
! if ($this->mode=="get") ## now it catches also when primary mode is get
! {
! $this->get_id($sid);
! if ($this->newid)
! {
if ( isset($HTTP_SERVER_VARS["HTTPS"])
! && $HTTP_SERVER_VARS["HTTPS"] == 'on' ) {
! ## You will need to fix suexec as well, if you
! ## use Apache and CGI PHP
! $PROTOCOL = 'https';
} else {
! $PROTOCOL = 'http';
}
+ $this->freeze();
header("Status: 302 Moved Temporarily");
header("Location: " . $PROTOCOL . "://" .
! $HTTP_SERVER_VARS["HTTP_HOST"] . $this->self_url());
exit;
! }
}
}
|