Changeset 1007


Ignore:
Timestamp:
01/18/06 16:16:30 (14 years ago)
Author:
nikrou
Message:

bug fix 261: improve security of sessions (next to svn:1004):

  • improve presentation code style
  • add upgrade database file
Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/admin.php

    r1004 r1007  
    8787    'U_USERS'=> $link_start.'user_list', 
    8888    'U_GROUPS'=> $link_start.'group_list', 
    89     'U_RETURN'=> PHPWG_ROOT_PATH.'category.php' 
     89    'U_RETURN'=> PHPWG_ROOT_PATH.'category.php', 
    9090    'U_ADMIN'=> PHPWG_ROOT_PATH.'admin.php', 
    9191    'L_ADMIN' => $lang['admin'], 
  • trunk/include/config_default.inc.php

    r1004 r1007  
    265265// +-----------------------------------------------------------------------+ 
    266266 
    267 // specifies to use cookie to store the session id on client side 
    268 $conf['session_use_cookies'] = 1; 
    269  
    270 // specifies to only use cookie to store the session id on client side 
    271 $conf['session_use_only_cookies'] = 1; 
    272  
    273 // do not use transparent session id support 
    274 $conf['session_use_trans_sid'] = 0; 
    275  
    276 // specifies the name of the session which is used as cookie name 
     267// session_use_cookies: specifies to use cookie to store  
     268// the session id on client side 
     269$conf['session_use_cookies'] = true; 
     270 
     271// session_use_only_cookies: specifies to only use cookie to store  
     272// the session id on client side 
     273$conf['session_use_only_cookies'] = true; 
     274 
     275// session_use_trans_sid: do not use transparent session id support 
     276$conf['session_use_trans_sid'] = false; 
     277 
     278// session_name: specifies the name of the session which is used as cookie name 
    277279$conf['session_name'] = 'pwg_id'; 
    278280 
    279 // comment the line below to use file handler for sessions. 
     281// session_save_handler: comment the line below  
     282// to use file handler for sessions. 
    280283$conf['session_save_handler'] = 'db'; 
    281284 
  • trunk/include/functions_session.inc.php

    r1004 r1007  
    2626// +-----------------------------------------------------------------------+ 
    2727 
    28 if (isset($conf['session_save_handler']) and ($conf['session_save_handler'] == 'db')) { 
     28if (isset($conf['session_save_handler'])  
     29  and ($conf['session_save_handler'] == 'db'))  
     30{ 
    2931  session_set_save_handler('pwg_session_open',  
    30                            'pwg_session_close', 
    31                            'pwg_session_read', 
    32                            'pwg_session_write', 
    33                            'pwg_session_destroy', 
    34                            'pwg_session_gc' 
    35                            ); 
     32    'pwg_session_close', 
     33    'pwg_session_read', 
     34    'pwg_session_write', 
     35    'pwg_session_destroy', 
     36    'pwg_session_gc' 
     37  ); 
    3638} 
    37  
    38 ini_set('session.use_cookies', $conf['session_use_cookies']); 
    39 ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); 
    40 ini_set('session.use_trans_sid', $conf['session_use_trans_sid']); 
    41 ini_set('session.name', $conf['session_name']); 
     39if (isset($conf['session_use_cookies']))  
     40{  
     41  ini_set('session.use_cookies', $conf['session_use_cookies']); 
     42} 
     43if (isset($conf['session_use_only_cookies'])) 
     44{ 
     45  ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); 
     46} 
     47if (isset($conf['session_use_trans_sid'])) 
     48{ 
     49  ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid'])); 
     50} 
     51if (isset($conf['session_name'])) 
     52{ 
     53  ini_set('session.name', $conf['session_name']); 
     54} 
    4255 
    4356function pwg_session_open($path, $name)  
     
    5467function pwg_session_read($session_id)  
    5568{ 
    56   $query = "SELECT data FROM " . SESSIONS_TABLE; 
    57   $query .= " WHERE id = '$session_id'"; 
     69  $query = ' 
     70SELECT data FROM '.SESSIONS_TABLE.' 
     71  WHERE id = \''.$session_id.'\''; 
    5872  $result = pwg_query($query); 
    59   if ($result) { 
     73  if ($result)  
     74  { 
    6075    $row = mysql_fetch_assoc($result); 
    6176    return $row['data']; 
    62   } else { 
     77  }  
     78  else  
     79  { 
    6380    return ''; 
    6481  } 
     
    6784function pwg_session_write($session_id, $data)  
    6885{ 
    69   $query = "SELECT id FROM " . SESSIONS_TABLE; 
    70   $query .= " WHERE id = '$session_id'"; 
     86  $query = ' 
     87SELECT id FROM '.SESSIONS_TABLE.' 
     88  WHERE id = \''.$session_id.'\''; 
    7189  $result = pwg_query($query); 
    72   if (mysql_num_rows($result)) { 
    73     $query = "UPDATE " . SESSIONS_TABLE . " SET expiration = now()"; 
    74     $query .= " WHERE id = '$session_id'";     
     90  if (mysql_num_rows($result))  
     91  { 
     92    $query = ' 
     93UPDATE '.SESSIONS_TABLE.' SET expiration = now() 
     94  WHERE id = \''.$session_id.'\'';     
    7595    pwg_query($query); 
    76   } else { 
    77     $query = "INSERT INTO " . SESSIONS_TABLE . " (id,data,expiration)"; 
    78     $query .= " VALUES('$session_id','$data',now())"; 
     96  }  
     97  else  
     98  { 
     99    $query = ' 
     100INSERT INTO '.SESSIONS_TABLE.'(id,data,expiration) 
     101  VALUES(\''.$session_id.'\',\''.$data.'\',now())'; 
    79102    pwg_query($query);     
    80103  } 
     
    84107function pwg_session_destroy($session_id)  
    85108{ 
    86   $query = "DELETE FROM " . SESSIONS_TABLE; 
    87   $query .= " WHERE id = '$session_id'"; 
     109  $query = ' 
     110DELETE FROM '.SESSIONS_TABLE.' 
     111  WHERE id = '.$session_id; 
    88112  pwg_query($query); 
    89113  return true; 
     
    94118  global $conf; 
    95119 
    96   $query = "DELETE FROM " . SESSIONS_TABLE; 
    97   $query .= " WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > " . $conf['session_length']; 
     120  $query = ' 
     121DELETE FROM '.SESSIONS_TABLE.' 
     122  WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > ' 
     123  .$conf['session_length']; 
    98124  pwg_query($query); 
    99125  return true; 
Note: See TracChangeset for help on using the changeset viewer.