[Phplib-commit] CVS: php-lib-stable/php session.inc,1.16,1.17
Brought to you by:
nhruby,
richardarcher
From: Giancarlo P. <pi...@us...> - 2002-06-03 04:35:54
|
Update of /cvsroot/phplib/php-lib-stable/php In directory usw-pr-cvs1:/tmp/cvs-serv16406 Modified Files: session.inc Log Message: fallback_mode only really w/o cookies, switch to permit creation of IDs provided by the user Index: session.inc =================================================================== RCS file: /cvsroot/phplib/php-lib-stable/php/session.inc,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** session.inc 29 May 2002 15:11:20 -0000 1.16 --- session.inc 3 Jun 2002 04:35:50 -0000 1.17 *************** *** 20,24 **** var $fallback_mode; ## If this doesn't work, fall back... var $lifetime = 0; ## 0 = do session cookies, else minutes - var $cookie_domain = ""; ## If set, the domain for which the ## session cookie is set. --- 20,23 ---- *************** *** 34,37 **** --- 33,38 ---- var $allowcache_expire = 1440; ## If you allowcache, data expires in this ## many minutes. + var $block_alien_sid = true; ## do not accept IDs in URL for session creation + var $that_class = ""; ## Name of data storage container *************** *** 112,115 **** --- 113,124 ---- } + ### do not accept user provided ids for creation + if($id != "" && $this->block_alien_sid) { # somehow an id was provided by the user + if($this->that->ac_get_value($id, $this->name) == "") { + # no - the id doesn't exist in the database: Ignore it! + $id = ""; + } + } + if ( "" == $id ) { $this->newid=true; *************** *** 129,140 **** if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) { $HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace( ! "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)", "\\1", $HTTP_SERVER_VARS["QUERY_STRING"]); } break; case "get": if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) { $HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace( ! "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)", "\\1", $HTTP_SERVER_VARS["QUERY_STRING"]); } --- 138,159 ---- if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) { $HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace( ! "(^|&)".quotemeta(urlencode($this->name))."=(.)*(&|$)", ## subst *any* preexistent sess "\\1", $HTTP_SERVER_VARS["QUERY_STRING"]); } break; case "get": + #we don't trust user input; session in url doesn't + #mean cookies are disabled + if ($this->newid &&( 0 == $this->lifetime )) { ## even if not a newid + SetCookie($this->name, $id, 0, "/", $this->cookie_domain); + } + if ( 0 < $this->lifetime ) { + SetCookie($this->name, $id, time()+$this->lifetime*60, "/", $this->cookie_domain); + } + if ( isset($HTTP_SERVER_VARS["QUERY_STRING"]) && ("" != $HTTP_SERVER_VARS["QUERY_STRING"]) ) { $HTTP_SERVER_VARS["QUERY_STRING"] = ereg_replace( ! # "(^|&)".quotemeta(urlencode($this->name))."=".$id."(&|$)", ! "(^|&)".quotemeta(urlencode($this->name))."=(.)*(&|$)", ## subst *any* preexistent sess "\\1", $HTTP_SERVER_VARS["QUERY_STRING"]); } *************** *** 184,188 **** // Remove existing session info from url $url = ereg_replace( ! "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)", "\\1", $url); --- 203,208 ---- // Remove existing session info from url $url = ereg_replace( ! # "([&?])".quotemeta(urlencode($this->name))."=".$this->id."(&|$)", ! "([&?])".quotemeta(urlencode($this->name))."=(.)*(&|$)", # we clean any(also bogus) sess in url "\\1", $url); *************** *** 387,424 **** global $HTTP_COOKIE_VARS, $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_SERVER_VARS; ! if ( isset($this->fallback_mode) && ("get" == $this->fallback_mode) && ("cookie" == $this->mode) && (! isset($HTTP_COOKIE_VARS[$this->name])) ) { ! // Looks like no cookie here - check GET/POST params ! if ( isset($HTTP_GET_VARS[$this->name]) ! || isset($HTTP_POST_VARS[$this->name]) ) { ! // Session info passed via GET/POST - go to fallback_mode ! $this->mode = $this->fallback_mode; ! } else { ! // It seems to be the first load of this page - ! // no cookie and no GET/POST params ! ! // Generate session ID and setup cookie. ! $this->get_id($sid); ! ! // Next line is to generate correct self_url() later ! $this->mode = $this->fallback_mode; ! if ( isset($HTTP_SERVER_VARS["HTTPS"]) ! && $HTTP_SERVER_VARS["HTTPS"] == 'on' ) { ! ## You will need to fix suexec as well, if you ! ## use Apache and CGI PHP ! $PROTOCOL = 'https'; } else { ! $PROTOCOL = 'http'; } header("Status: 302 Moved Temporarily"); header("Location: " . $PROTOCOL . "://" . ! $HTTP_SERVER_VARS["HTTP_HOST"] . $this->self_url()); exit; ! } } } --- 407,437 ---- global $HTTP_COOKIE_VARS, $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_SERVER_VARS; ! # set the mode for this run if ( isset($this->fallback_mode) && ("get" == $this->fallback_mode) && ("cookie" == $this->mode) && (! isset($HTTP_COOKIE_VARS[$this->name])) ) { + $this->mode = $this->fallback_mode; + } ! if ($this->mode=="get") ## now it catches also when primary mode is get ! { ! $this->get_id($sid); ! if ($this->newid) ! { if ( isset($HTTP_SERVER_VARS["HTTPS"]) ! && $HTTP_SERVER_VARS["HTTPS"] == 'on' ) { ! ## You will need to fix suexec as well, if you ! ## use Apache and CGI PHP ! $PROTOCOL = 'https'; } else { ! $PROTOCOL = 'http'; } + $this->freeze(); header("Status: 302 Moved Temporarily"); header("Location: " . $PROTOCOL . "://" . ! $HTTP_SERVER_VARS["HTTP_HOST"] . $this->self_url()); exit; ! } } } |