Security fix for:

  Internet Explorer bug that allows sends cookies to different sites if
  they have the same ending.  eg moodle.com cookie is sent to smec.moodle.com!!

  Also fixes case where multiple moodle installations may be in different
  directories on the same server.  When you go from one to the other the
  first session will be destroyed now (you can't be logged in the two
  at the same time).  It's just a lot safer this way, for now.

Basically this works by storing the wwwroot variable in the session
and checking it for every page.

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 04b52b7c51dab183a42b526b8f05a8d954eab978..9f85c8adbf08e26625dea4753e41147b6cc70497 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -951,10 +951,12 @@ function require_login($courseid=0) {
       
     // First check that the user is logged in to the site.
 
-    if (! (isset($USER->loggedin) and $USER->confirmed) ) { // They're not
+    if (! (isset($USER->loggedin) and $USER->confirmed and ($USER->site == $CFG->wwwroot)) ) { // They're not
         $SESSION->wantsurl = $FULLME;
         $SESSION->fromurl  = $HTTP_REFERER;
         save_session("SESSION");
+        $USER = NULL;
+        save_session("USER");
         if ($PHPSESSID) { // Cookies not enabled.
             redirect("$CFG->wwwroot/login/?PHPSESSID=$PHPSESSID");
         } else {

diff --git a/login/index.php b/login/index.php
index 3bb4499c7fb53cc41c846f1d220ee61ec11144c4..d9ddbe3325382b3482b4e700823c292750381108 100644 (file)
--- a/login/index.php
+++ b/login/index.php
@@ -33,9 +33,10 @@
                 print_footer();
                 die;
             }
-    
+
             $USER = $user;
             $USER->loggedin = true;
+            $USER->site = $CFG->wwwroot;   // for added security
             save_session("USER");
     
             if (!update_user_in_db()) {