From: martin Date: Wed, 28 Aug 2002 15:07:46 +0000 (+0000) Subject: Security fix for: X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=c21c671d747120751110444a6cc9c1c907d95d14;p=moodle.git Security fix for: Internet Explorer bug that allows sends cookies to different sites if they have the same ending. eg moodle.com cookie is sent to smec.moodle.com!! Also fixes case where multiple moodle installations may be in different directories on the same server. When you go from one to the other the first session will be destroyed now (you can't be logged in the two at the same time). It's just a lot safer this way, for now. Basically this works by storing the wwwroot variable in the session and checking it for every page. --- diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 04b52b7c51..9f85c8adbf 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -951,10 +951,12 @@ function require_login($courseid=0) { // First check that the user is logged in to the site. - if (! (isset($USER->loggedin) and $USER->confirmed) ) { // They're not + if (! (isset($USER->loggedin) and $USER->confirmed and ($USER->site == $CFG->wwwroot)) ) { // They're not $SESSION->wantsurl = $FULLME; $SESSION->fromurl = $HTTP_REFERER; save_session("SESSION"); + $USER = NULL; + save_session("USER"); if ($PHPSESSID) { // Cookies not enabled. redirect("$CFG->wwwroot/login/?PHPSESSID=$PHPSESSID"); } else { diff --git a/login/index.php b/login/index.php index 3bb4499c7f..d9ddbe3325 100644 --- a/login/index.php +++ b/login/index.php @@ -33,9 +33,10 @@ print_footer(); die; } - + $USER = $user; $USER->loggedin = true; + $USER->site = $CFG->wwwroot; // for added security save_session("USER"); if (!update_user_in_db()) {