Changeset 2521 for trunk/include/functions_session.inc.php

Timestamp:

Sep 12, 2008, 4:17:35 AM (16 years ago)

Author:

rvelices

Message:

• images.file categories.permalink old_permalinks.permalink - become binary
• session security improvement: now the sessions are valid only for originating ip addr (with mask 255.255.0.0 to allow users behind load balancing proxies) -> stealing the session cookie is almost a non issue (with the exception of the 65536 machines in range)
• metadata sync from the sync button does not overwrite valid data with empty metadata
• other small fixes/enhancements:
  • added event get_category_image_orders
  • fix display issue with redirect.tpl (h1/h2 within h1)
  • fix known_script smarty function registration
  • query search form not submitted if q is empty
  • better admin css rules
  • some other minor changes (ws_core, rest_handler, functions_search...)

File:

• trunk/include/functions_session.inc.php (modified) (5 diffs)

trunk/include/functions_session.inc.php

@@ -91 +91 @@
 }
 
+function get_remote_addr_session_hash()
+{
+        return vsprintf( "%02X%02X", explode('.',$_SERVER['REMOTE_ADDR']) );
+}
+
 /**
  * this function returns
@@ -103 +108 @@
 SELECT data
   FROM '.SESSIONS_TABLE.'
-  WHERE id = \''.$session_id.'\'
+  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
 ;';
   $result = pwg_query($query);
@@ -129 +134 @@
   SET expiration = now(),
   data = \''.$data.'\'
-  WHERE id = \''.$session_id.'\'
+  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
 ;';
   pwg_query($query);
@@ -139 +144 @@
 INSERT INTO '.SESSIONS_TABLE.'
   (id,data,expiration)
-  VALUES(\''.$session_id.'\',\''.$data.'\',now())
+  VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.$data.'\',now())
 ;';
   mysql_query($query);
@@ -155 +160 @@
 DELETE
   FROM '.SESSIONS_TABLE.'
-  WHERE id = \''.$session_id.'\'
+  WHERE id = \''.get_remote_addr_session_hash().$session_id.'\'
 ;';
   pwg_query($query);