Changeset 2756

Timestamp:

10/16/08 02:35:30 (5 years ago)

Author:

rvelices

Message:

- security paranoia: protect session/remember me cookies from XSS attacks (works only if php>=5.2 and with IE/FF maybe others)

Location:

branches/2.0/include

Files:

• functions_session.inc.php (modified) (1 diff)
• functions_user.inc.php (modified) (3 diffs)
• user.inc.php (modified) (1 diff)
• ws_functions.inc.php (modified) (6 diffs)

branches/2.0/include/functions_session.inc.php

@@ -67 +67 @@
     ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
     ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid']));
+    ini_set('session.cookie_httponly', 1);
   }
   session_name($conf['session_name']);

branches/2.0/include/functions_user.inc.php

@@ -1014 +1014 @@
     {
       $cookie = $user_id.'-'.$now.'-'.$key;
-      setcookie($conf['remember_me_name'],
+      if (version_compare(PHP_VERSION, '5.2', '>=') )
+      {
+        setcookie($conf['remember_me_name'],
             $cookie,
             time()+$conf['remember_me_length'],
-            cookie_path()
+            cookie_path(),ini_get('session.cookie_domain'),ini_get('session.cookie_secure'),
+            ini_get('session.cookie_httponly')
           );
+      }
+      else
+      {
+        setcookie($conf['remember_me_name'],
+            $cookie,
+            time()+$conf['remember_me_length'],
+            cookie_path(),ini_get('session.cookie_domain'),ini_get('session.cookie_secure')
+          );
+      }
     }
   }
   else
   { // make sure we clean any remember me ...
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
   }
   if ( session_id()!="" )
@@ -1063 +1075 @@
       }
     }
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
   }
   return false;
@@ -1091 +1103 @@
   trigger_action('login_failure', $username);
   return false;
+}
+
+/** Performs all the cleanup on user logout */
+function logout_user()
+{
+  global $conf;
+  $_SESSION = array();
+  session_unset();
+  session_destroy();
+  setcookie(session_name(),'',0,
+      ini_get('session.cookie_path'),
+      ini_get('session.cookie_domain')
+    );
+  setcookie($conf['remember_me_name'], '', 0, cookie_path(),ini_get('session.cookie_domain'));
 }
 

branches/2.0/include/user.inc.php

@@ -30 +30 @@
   if (isset($_GET['act']) and $_GET['act'] == 'logout')
   { // logout
-    $_SESSION = array();
-    session_unset();
-    session_destroy();
-    setcookie(session_name(),'',0,
-        ini_get('session.cookie_path'),
-        ini_get('session.cookie_domain')
-      );
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    logout_user();
     redirect(make_index_url());
   }

branches/2.0/include/ws_functions.inc.php

@@ -1108 +1108 @@
 function ws_session_logout($params, &$service)
 {
-  global $user, $conf;
   if (!is_a_guest())
   {
-    $_SESSION = array();
-    session_unset();
-    session_destroy();
-    setcookie(session_name(),'',0,
-        ini_get('session.cookie_path'),
-        ini_get('session.cookie_domain')
-      );
-    setcookie($conf['remember_me_name'], '', 0, cookie_path());
+    logout_user();
   }
   return true;
@@ -1356 +1348 @@
 
   invalidate_user_cache();
-  
+
   return $creation_output;
 }
@@ -1394 +1386 @@
     PREG_SPLIT_NO_EMPTY
     );
-  
+
   $query = '
 SELECT
@@ -1400 +1392 @@
     md5sum
   FROM '.IMAGES_TABLE.'
-  WHERE md5sum IN (\''.implode("','", $md5sums).'\')  
+  WHERE md5sum IN (\''.implode("','", $md5sums).'\')
 ;';
   $id_of_md5 = simple_hash_from_query($query, 'md5sum', 'id');
 
   $result = array();
-  
+
   foreach ($md5sums as $md5sum)
   {
@@ -1432 +1424 @@
   // thumbnail_content
   // thumbnail_sum
-  
+
   $params['image_id'] = (int)$params['image_id'];
   if ($params['image_id'] <= 0)
@@ -1486 +1478 @@
       );
   }
-  
+
   if (isset($params['categories']))
   {