Update of /cvsroot/phpmychat/phpMyChat-0.15/chat/lib
In directory usw-pr-cvs1:/tmp/cvs-serv2053/chat/lib
Modified Files:
db_sessions.lib.php3
Log Message:
Increased security: session id must be associated with the same ip to be true.
Index: db_sessions.lib.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat-0.15/chat/lib/db_sessions.lib.php3,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -r1.12 -r1.13
*** db_sessions.lib.php3 2001/05/16 20:56:24 1.12
--- db_sessions.lib.php3 2001/05/27 15:21:32 1.13
***************
*** 21,27 ****
// | ( |
// | session_id varchar(32) NOT NULL, |
// | last int(11) unsigned NOT NULL DEFAULT '0', |
// | data text, |
! // | PRIMARY KEY (id), |
// | KEY last (last) |
// | ); |
--- 21,28 ----
// | ( |
// | session_id varchar(32) NOT NULL, |
+ // | ip varchar(15) NOT NULL, |
// | last int(11) unsigned NOT NULL DEFAULT '0', |
// | data text, |
! // | PRIMARY KEY (session_id), |
// | KEY last (last) |
// | ); |
***************
*** 356,359 ****
--- 357,395 ----
/**
+ * Get the ip of the user
+ *
+ * This informations is used to ensure the id is not a hacked one
+ *
+ * @return string the ip of the user
+ *
+ * @access public
+ * @see dbSessionStart()
+ */
+ function dbSessionGetIp()
+ {
+ if (!isset($GLOBALS['REMOTE_ADDR']))
+ {
+ if (isset($GLOBALS['HTTP_ENV_VARS'])
+ && isset($GLOBALS['HTTP_ENV_VARS']['REMOTE_ADDR']))
+ {
+ return $GLOBALS['HTTP_ENV_VARS']['REMOTE_ADDR'];
+ }
+ else if (@getenv('REMOTE_ADDR'))
+ {
+ return getenv('REMOTE_ADDR');
+ }
+ else
+ {
+ return '';
+ }
+ }
+ else
+ {
+ return $GLOBALS['REMOTE_ADDR'];
+ }
+ } // end of the 'dbSessionGetIp()' function
+
+
+ /**
* Initialize session data
*
***************
*** 368,372 ****
*
* @access public
! * @see dbSessionInit()
*/
function dbSessionStart()
--- 404,408 ----
*
* @access public
! * @see dbSessionInit(), dbSessionGetIp
*/
function dbSessionStart()
***************
*** 400,404 ****
{
// The ID exists in the database -> get session data
! $dbSessionDbLink->query("SELECT data FROM $dbSessionDbTable WHERE session_id = '$dbSessionId' LIMIT 1");
if (list($serialized) = $dbSessionDbLink->nextRecord())
{
--- 436,440 ----
{
// The ID exists in the database -> get session data
! $dbSessionDbLink->query("SELECT data FROM $dbSessionDbTable WHERE session_id = '$dbSessionId' AND ip = '" . dbSessionGetIp() . "' LIMIT 1");
if (list($serialized) = $dbSessionDbLink->nextRecord())
{
***************
*** 708,712 ****
else
{
! $dbSessionDbLink->query("INSERT INTO $dbSessionDbTable (session_id, last, data) VALUES ('$dbSessionId', " . time() . ", '$serialized')");
}
--- 744,748 ----
else
{
! $dbSessionDbLink->query("INSERT INTO $dbSessionDbTable (session_id, ip, last, data) VALUES ('$dbSessionId', '" . dbSessionGetIp() . "', " . time() . ", '$serialized')");
}
|
