Shared http/https sessions by rob richards from the forums

diff --git a/docs/NEWS b/docs/NEWS
index 270ee5d80f0b2fbe569afe931a38dcf850f9ee74..0f6aac53aea35c2617677612d5e8aaef3f45fc1b 100644 (file)
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,11 @@
 Version 1.2 ()
 ------------------------------------------------------------------------
 
+    * Support shared http/https sessions. Performing admin actions will
+      only be allowed (through tokens) on the protocol that was used for
+      login. Patch by Rob Richards
+      (http://board.s9y.org/viewtopic.php?p=49276)
+
     * Added PDO:PostgreSQL support (Theo Schlossnagle)
 
     * Dutch translation update with many fixes by Sam Geeraerts

diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php
index 456c59e747363942117cbf81b1c861b93f34fe2c..78f96ca7fc086eebd158ce495a099ecf7060b24a 100644 (file)
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@@ -436,6 +436,12 @@ function serendipity_checkAutologin($ident, $iv) {
     return $cookie;
 }
 
+function serendipity_setAuthorToken() {
+        $hash = sha1(uniqid(rand(), true));
+        serendipity_setCookie('author_token', $hash);
+        $_SESSION['author_token'] = $hash;
+}
+
 /**
  * Perform user authentication routine
  *
@@ -479,7 +485,10 @@ function serendipity_authenticate_author($username = '', $password = '', $is_md5
         $row =& serendipity_db_query($query, true, 'assoc');
 
         if (is_array($row)) {
-            serendipity_setCookie('old_session', session_id());
+            serendipity_setCookie('old_session', session_id(), false);
+            if (!$is_md5) {
+                serendipity_setAuthorToken();
+            }
             $_SESSION['serendipityUser']        = $serendipity['serendipityUser']         = $username;
             $_SESSION['serendipityRealname']    = $serendipity['serendipityRealname']     = $row['realname'];
             $_SESSION['serendipityPassword']    = $serendipity['serendipityPassword']     = $password;
@@ -560,10 +569,14 @@ function serendipity_JSsetCookie($name, $value) {
  * @param   string      The contents of the cookie variable
  * @return null
  */
-function serendipity_setCookie($name,$value) {
+function serendipity_setCookie($name, $value, $securebyprot = true) {
     global $serendipity;
 
-    $secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;
+    if ($securebyprot) {
+        $secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;
+    } else {
+        $secure = false;
+    }
     setcookie("serendipity[$name]", $value, time()+60*60*24*30, $serendipity['serendipityHTTPPath'], $_SERVER['HTTP_HOST'], $secure);
     $_COOKIE[$name] = $value;
     $serendipity['COOKIE'][$name] = $value;

diff --git a/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php b/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php
index 1dddc9770d57654d9b66b7cacafdf4f8a9e941bd..cf2beb812184875612dc8aaeb5073d1ba307e764 100644 (file)
--- a/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php
+++ b/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php
@@ -60,7 +60,7 @@ class serendipity_event_templatechooser extends serendipity_event
 
                 if (isset($_REQUEST['user_template']) && (in_array($_REQUEST['user_template'], serendipity_fetchTemplates())) ) {
                     $_SESSION['serendipityUseTemplate'] = $_REQUEST['user_template'];
-                    serendipity_setCookie('user_template', $_REQUEST['user_template']);
+                    serendipity_setCookie('user_template', $_REQUEST['user_template'], false);
                 }
 
                 if (isset($_SESSION['serendipityUseTemplate']) ) {

diff --git a/rss.php b/rss.php
index 476911115b3744531d492509e7099008e704166f..973fd98e22d4c828c7647a22d06ddfb467bce3f4 100644 (file)
--- a/rss.php
+++ b/rss.php
@@ -231,7 +231,7 @@ switch($version) {
 
     case 'atom1.0':
         // For people wanting extra RFC compliance
-        // header('Content-Type: application/atom+xml; charset=utf8');
+        // header('Content-Type: application/atom+xml; charset=utf-8');
         $namespace_hook = 'frontend_display:atom-1.0:namespace';
         break;
 }

diff --git a/serendipity_admin.php b/serendipity_admin.php
index 965caa0710304ba4b55eb68063e58d31f3b8a468..783e4871d9dcbada6c8f99c7e3fa95efde064987 100644 (file)
--- a/serendipity_admin.php
+++ b/serendipity_admin.php
@@ -25,9 +25,17 @@ if (IS_installed === false) {
 if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'logout') {
     serendipity_logout();
 } else {
-    if (IS_installed === true && !serendipity_userLoggedIn()) {
-        // Try again to log in, this time with enabled external authentication event hook
-        serendipity_login(true);
+    if (IS_installed === true) {
+        /* Check author token to insure session not hijacked */
+        if (!isset($_SESSION['author_token']) || !isset($serendipity['COOKIE']['author_token']) || 
+            ($_SESSION['author_token'] !== $serendipity['COOKIE']['author_token'])) {
+            $_SESSION['serendipityAuthedUser'] = false;
+            @session_destroy();
+        }
+        if (!serendipity_userLoggedIn()) {
+            // Try again to log in, this time with enabled external authentication event hook
+            serendipity_login(true);
+        }
     }
 }
 

diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
index 68076e7969913e16c990d236fc352fecb16ec293..e65af40035d6075c76586de6e3b6d48aa7ea24c6 100644 (file)
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -9,10 +9,6 @@ if (defined('S9Y_FRAMEWORK')) {
 @define('S9Y_FRAMEWORK', true);
 
 if (!headers_sent()) {
-    if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
-        @ini_set('session.name', 'SSLSID');
-        @ini_set('session.cookie_secure', '1');
-    }
     session_start();
 }