From: garvinhicking Date: Thu, 8 Feb 2007 12:08:43 +0000 (+0000) Subject: Shared http/https sessions by rob richards from the forums X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=671c16982351db78e851285e0364206b9cec8113;p=s9y.git Shared http/https sessions by rob richards from the forums --- diff --git a/docs/NEWS b/docs/NEWS index 270ee5d..0f6aac5 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,6 +3,11 @@ Version 1.2 () ------------------------------------------------------------------------ + * Support shared http/https sessions. Performing admin actions will + only be allowed (through tokens) on the protocol that was used for + login. Patch by Rob Richards + (http://board.s9y.org/viewtopic.php?p=49276) + * Added PDO:PostgreSQL support (Theo Schlossnagle) * Dutch translation update with many fixes by Sam Geeraerts diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php index 456c59e..78f96ca 100644 --- a/include/functions_config.inc.php +++ b/include/functions_config.inc.php @@ -436,6 +436,12 @@ function serendipity_checkAutologin($ident, $iv) { return $cookie; } +function serendipity_setAuthorToken() { + $hash = sha1(uniqid(rand(), true)); + serendipity_setCookie('author_token', $hash); + $_SESSION['author_token'] = $hash; +} + /** * Perform user authentication routine * @@ -479,7 +485,10 @@ function serendipity_authenticate_author($username = '', $password = '', $is_md5 $row =& serendipity_db_query($query, true, 'assoc'); if (is_array($row)) { - serendipity_setCookie('old_session', session_id()); + serendipity_setCookie('old_session', session_id(), false); + if (!$is_md5) { + serendipity_setAuthorToken(); + } $_SESSION['serendipityUser'] = $serendipity['serendipityUser'] = $username; $_SESSION['serendipityRealname'] = $serendipity['serendipityRealname'] = $row['realname']; $_SESSION['serendipityPassword'] = $serendipity['serendipityPassword'] = $password; @@ -560,10 +569,14 @@ function serendipity_JSsetCookie($name, $value) { * @param string The contents of the cookie variable * @return null */ -function serendipity_setCookie($name,$value) { +function serendipity_setCookie($name, $value, $securebyprot = true) { global $serendipity; - $secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false; + if ($securebyprot) { + $secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false; + } else { + $secure = false; + } setcookie("serendipity[$name]", $value, time()+60*60*24*30, $serendipity['serendipityHTTPPath'], $_SERVER['HTTP_HOST'], $secure); $_COOKIE[$name] = $value; $serendipity['COOKIE'][$name] = $value; diff --git a/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php b/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php index 1dddc97..cf2beb8 100644 --- a/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php +++ b/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php @@ -60,7 +60,7 @@ class serendipity_event_templatechooser extends serendipity_event if (isset($_REQUEST['user_template']) && (in_array($_REQUEST['user_template'], serendipity_fetchTemplates())) ) { $_SESSION['serendipityUseTemplate'] = $_REQUEST['user_template']; - serendipity_setCookie('user_template', $_REQUEST['user_template']); + serendipity_setCookie('user_template', $_REQUEST['user_template'], false); } if (isset($_SESSION['serendipityUseTemplate']) ) { diff --git a/rss.php b/rss.php index 4769111..973fd98 100644 --- a/rss.php +++ b/rss.php @@ -231,7 +231,7 @@ switch($version) { case 'atom1.0': // For people wanting extra RFC compliance - // header('Content-Type: application/atom+xml; charset=utf8'); + // header('Content-Type: application/atom+xml; charset=utf-8'); $namespace_hook = 'frontend_display:atom-1.0:namespace'; break; } diff --git a/serendipity_admin.php b/serendipity_admin.php index 965caa0..783e487 100644 --- a/serendipity_admin.php +++ b/serendipity_admin.php @@ -25,9 +25,17 @@ if (IS_installed === false) { if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'logout') { serendipity_logout(); } else { - if (IS_installed === true && !serendipity_userLoggedIn()) { - // Try again to log in, this time with enabled external authentication event hook - serendipity_login(true); + if (IS_installed === true) { + /* Check author token to insure session not hijacked */ + if (!isset($_SESSION['author_token']) || !isset($serendipity['COOKIE']['author_token']) || + ($_SESSION['author_token'] !== $serendipity['COOKIE']['author_token'])) { + $_SESSION['serendipityAuthedUser'] = false; + @session_destroy(); + } + if (!serendipity_userLoggedIn()) { + // Try again to log in, this time with enabled external authentication event hook + serendipity_login(true); + } } } diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php index 68076e7..e65af40 100644 --- a/serendipity_config.inc.php +++ b/serendipity_config.inc.php @@ -9,10 +9,6 @@ if (defined('S9Y_FRAMEWORK')) { @define('S9Y_FRAMEWORK', true); if (!headers_sent()) { - if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') { - @ini_set('session.name', 'SSLSID'); - @ini_set('session.cookie_secure', '1'); - } session_start(); }