Changeset 1004 for trunk/picture.php


Ignore:
Timestamp:
Jan 15, 2006, 2:45:42 PM (18 years ago)
Author:
nikrou
Message:

Improve security of sessions:

  • use only cookies to store session id on client side
  • use default php session system with database handler to store sessions on server side
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/picture.php

    r995 r1004  
    7777{
    7878  echo '<div style="text-align:center;">'.$lang['access_forbiden'].'<br />';
    79   echo '<a href="'.add_session_id( PHPWG_ROOT_PATH.'category.php' ).'">';
     79  echo '<a href="'.PHPWG_ROOT_PATH.'category.php'.'">';
    8080  echo $lang['thumbnails'].'</a></div>';
    8181  exit();
     
    324324      // there is no favorite picture anymore we redirect the user to the
    325325      // category page
    326       $url = add_session_id($url_up);
    327       redirect($url);
     326      redirect($url_up);
    328327    }
    329328    else if (!$has_prev)
    330329    {
    331330      $url = str_replace( '&amp;', '&', $picture['next']['url'] );
    332       $url = add_session_id( $url, true);
     331      redirect( $url );
    333332    }
    334333    else
    335334    {
    336335      $url = str_replace('&amp;', '&', $picture['prev']['url'] );
    337       $url = add_session_id( $url, true);
     336      redirect( $url );
    338337    }
    339338    redirect( $url );
     
    523522  'L_UP_ALT' => $lang['home'],
    524523 
    525   'U_HOME' => add_session_id(PHPWG_ROOT_PATH.'category.php'),
    526   'U_UP' => add_session_id($url_up),
    527   'U_METADATA' => add_session_id($url_metadata),
    528   'U_ADMIN' => add_session_id($url_admin),
    529   'U_SLIDESHOW'=> add_session_id($url_slide),
    530   'U_ADD_COMMENT' => add_session_id(str_replace( '&', '&amp;', $_SERVER['REQUEST_URI'] ))
     524  'U_HOME' => (PHPWG_ROOT_PATH.'category.php'),
     525  'U_UP' => $url_up,
     526  'U_METADATA' => $url_metadata,
     527  'U_ADMIN' => $url_admin,
     528  'U_SLIDESHOW'=> $url_slide,
     529  'U_ADD_COMMENT' => str_replace( '&', '&amp;', $_SERVER['REQUEST_URI'] )
    531530  )
    532531);
     
    585584    array(
    586585      'URL' =>
    587       add_session_id(
    588586        PHPWG_ROOT_PATH.'picture.php'
    589587        .get_query_string_diff(array('caddie')).'&amp;caddie=1')
    590       )
    591588    );
    592589}
     
    646643      'TITLE_IMG' => $picture['prev']['name'],
    647644      'IMG' => $picture['prev']['thumbnail'],
    648       'U_IMG' => add_session_id($picture['prev']['url'])
     645      'U_IMG' => $picture['prev']['url']
    649646      ));
    650647}
     
    657654      'TITLE_IMG' => $picture['next']['name'],
    658655      'IMG' => $picture['next']['thumbnail'],
    659       'U_IMG' => add_session_id($picture['next']['url'])
     656      'U_IMG' => $picture['next']['url']
    660657      ));
    661658}
     
    680677  $infos['INFO_AUTHOR'] =
    681678    '<a href="'.
    682     add_session_id(
    683679      PHPWG_ROOT_PATH.'category.php?cat=search'.
    684680      '&amp;search=author:'.$picture['current']['author']
    685       ).
    686     '">'.$picture['current']['author'].'</a>';
     681      .'">'.$picture['current']['author'].'</a>';
    687682}
    688683else
     
    696691  $infos['INFO_CREATION_DATE'] =
    697692    '<a href="'.
    698     add_session_id(
    699693      PHPWG_ROOT_PATH.'category.php?cat=search'.
    700694      '&amp;search=date_creation:'.$picture['current']['date_creation']
    701       ).
    702     '">'.format_date($picture['current']['date_creation']).'</a>';
     695      .'">'.format_date($picture['current']['date_creation']).'</a>';
    703696}
    704697else
     
    710703$infos['INFO_AVAILABILITY_DATE'] =
    711704  '<a href="'.
    712   add_session_id(
    713705    PHPWG_ROOT_PATH.'category.php?cat=search'.
    714706    '&amp;search=date_available:'.
    715707    substr($picture['current']['date_available'], 0, 10)
    716     ).
    717     '">'.
     708    .'">'.
    718709  format_date($picture['current']['date_available'], 'mysql_datetime').
    719710  '</a>';
     
    764755      '/([^,]+)/',
    765756      '<a href="'.
    766       add_session_id(
    767757        PHPWG_ROOT_PATH.'category.php?cat=search&amp;search=keywords:$1'
    768         ).
    769       '">$1</a>',
     758        .'">$1</a>',
    770759      $picture['current']['keywords']
    771760      );
     
    891880       
    892881  $template->assign_block_vars('stop_slideshow', array(
    893   'U_SLIDESHOW'=>add_session_id( $picture['current']['url'] )
     882  'U_SLIDESHOW'=>$picture['current']['url']
    894883  ));
    895884}
     
    10441033      $template->assign_block_vars(
    10451034        'comments.comment.delete',
    1046         array('U_COMMENT_DELETE'=>add_session_id( $url.'&amp;del='.$row['id'])
     1035        array('U_COMMENT_DELETE'=> $url.'&amp;del='.$row['id']
    10471036          ));
    10481037    }
Note: See TracChangeset for help on using the changeset viewer.