From c21c671d747120751110444a6cc9c1c907d95d14 Mon Sep 17 00:00:00 2001 From: martin Date: Wed, 28 Aug 2002 15:07:46 +0000 Subject: [PATCH] Security fix for: Internet Explorer bug that allows sends cookies to different sites if they have the same ending. eg moodle.com cookie is sent to smec.moodle.com!! Also fixes case where multiple moodle installations may be in different directories on the same server. When you go from one to the other the first session will be destroyed now (you can't be logged in the two at the same time). It's just a lot safer this way, for now. Basically this works by storing the wwwroot variable in the session and checking it for every page. --- lib/moodlelib.php | 4 +++- login/index.php | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 04b52b7c51..9f85c8adbf 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -951,10 +951,12 @@ function require_login($courseid=0) { // First check that the user is logged in to the site. - if (! (isset($USER->loggedin) and $USER->confirmed) ) { // They're not + if (! (isset($USER->loggedin) and $USER->confirmed and ($USER->site == $CFG->wwwroot)) ) { // They're not $SESSION->wantsurl = $FULLME; $SESSION->fromurl = $HTTP_REFERER; save_session("SESSION"); + $USER = NULL; + save_session("USER"); if ($PHPSESSID) { // Cookies not enabled. redirect("$CFG->wwwroot/login/?PHPSESSID=$PHPSESSID"); } else { diff --git a/login/index.php b/login/index.php index 3bb4499c7f..d9ddbe3325 100644 --- a/login/index.php +++ b/login/index.php @@ -33,9 +33,10 @@ print_footer(); die; } - + $USER = $user; $USER->loggedin = true; + $USER->site = $CFG->wwwroot; // for added security save_session("USER"); if (!update_user_in_db()) { -- 2.39.5