fallback error patch

Brought to you by: nhruby, richardarcher

#17 fallback error patch

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2002-01-10

Created: 2002-01-10

Creator: Gaetano Giunta

Private: No

For a detailed description, see the posts in the bugs
section (bug #487852).

The idea is to avoid the user seeing the Session ID in
the URL of a page when a session is sarted with
cookies and fallback enabled.

The code: replace in session.inc the function
release_token with the one in the attached file

NOTE: I tested this only with IE5.5 and cookiwes
on/off, might need some more extensive testing...

Discussion

Gaetano Giunta - 2002-01-10

release_token.zip

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dieter Steinwedel - 2002-01-12

Logged In: YES
user_id=373951

Unfortunally, it forces on my system a endless-loop. But
I've solved the problem: The cause is, that the get-var
won't be erased on the second reload. My solution updates
the url-rewriting function "url()" of the class "session":

function url($url){
$url=ereg_replace("[&?]+$", "", $url);

switch ($this->mode) {
case "get":

$url .= ( strpos($url, "?") != false ? "&" : "?" ).
urlencode($this->name)."=".$this->id;

break;
default:
$ssp = strpos($url,urlencode($this->name)."="); ##
DS1 added -> BEGIN
if ($ssp > 0)
{
$sspe = strpos($url,"&",$ssp);
if ($sspe > 0) $url = substr($url, 0,
$ssp) . substr($url, $sspe + 1);
else $url = substr($url, 0, $ssp);
if ($url[strlen($url)-1] == "?") $url =
substr($url, 0, strlen($url)-1);
} ## DS1 added -> END
break;
}
return $url;
}

I will soon add all mods to the "bigger patch".

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Gaetano Giunta - 2002-01-14

Logged In: YES
user_id=114789

Sorry for forgetting to mention it, but the patch I sent works against
version 7.4rc1. In the new version the code in the url() function already
removes the session id (and it even has some comments in it: great!). I
think the main difference with your patch is
- the id is removed in all
modes (get mode too, then re-added)
- the id is removed only if it matches
the current session id. This could be somewhat of a limitation, though:
what if the page recives an id different from what it expects?

Here's
the code, you can check it out, or download the latest version of phplib and
give it a try:

function url($url) {
// Remove existing session info
from url
$url = ereg_replace(

"([&?])".quotemeta(urlencode($this->name))."=".$this-
>id."(&|$)",
"\\1", $url);

// Remove trailing ?/& if needed

$url=ereg_replace("[&?]+$", "", $url);

switch ($this->mode) {

case "get":
$url .= ( strpos($url, "?") != false ? "&" : "?" ).

urlencode($this->name)."=".$this->id;
break;
default:
;

break;
}

// Encode naughty characters in the URL
$url =
str_replace(array("<", ">", " ", "\&quot;", "'"),
array("%3C", "%3E",
"+", "%22", "%27"), $url);
return $url;
}

Gaetano

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.