diff options
| author | nikrou <nikrou@piwigo.org> | 2006-01-15 13:45:42 +0000 |
|---|---|---|
| committer | nikrou <nikrou@piwigo.org> | 2006-01-15 13:45:42 +0000 |
| commit | c3397a2c73273ba5414d976ab7f45ae5e71a8a33 (patch) | |
| tree | e59456bdf40caf57ca5d3586190c3b3f6e8eb463 /admin | |
| parent | b223bb495dbfa1611766cdc528c9eb1af56c43e3 (diff) | |
Improve security of sessions:
- use only cookies to store session id on client side
- use default php session system with database handler to store sessions on server side
git-svn-id: http://piwigo.org/svn/trunk@1004 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'admin')
| -rw-r--r-- | admin/cat_list.php | 21 | ||||
| -rw-r--r-- | admin/cat_modify.php | 14 | ||||
| -rw-r--r-- | admin/cat_move.php | 2 | ||||
| -rw-r--r-- | admin/cat_options.php | 2 | ||||
| -rw-r--r-- | admin/cat_perm.php | 5 | ||||
| -rw-r--r-- | admin/comments.php | 6 | ||||
| -rw-r--r-- | admin/configuration.php | 2 | ||||
| -rw-r--r-- | admin/element_set_unit.php | 4 | ||||
| -rw-r--r-- | admin/group_list.php | 3 | ||||
| -rw-r--r-- | admin/group_perm.php | 2 | ||||
| -rw-r--r-- | admin/intro.php | 10 | ||||
| -rw-r--r-- | admin/maintenance.php | 10 | ||||
| -rw-r--r-- | admin/picture_modify.php | 6 | ||||
| -rw-r--r-- | admin/remote_site.php | 12 | ||||
| -rw-r--r-- | admin/stats.php | 10 | ||||
| -rw-r--r-- | admin/thumbnail.php | 2 | ||||
| -rw-r--r-- | admin/user_list.php | 6 | ||||
| -rw-r--r-- | admin/user_perm.php | 2 | ||||
| -rw-r--r-- | admin/waiting.php | 2 |
19 files changed, 48 insertions, 73 deletions
diff --git a/admin/cat_list.php b/admin/cat_list.php index f7652db73..3acbbad5e 100644 --- a/admin/cat_list.php +++ b/admin/cat_list.php @@ -65,7 +65,7 @@ function save_categories_order($categories) $categories = array(); $base_url = PHPWG_ROOT_PATH.'admin.php?page=cat_list'; -$navigation = '<a class="" href="'.add_session_id($base_url).'">'; +$navigation = '<a class="" href="'.$base_url.'">'; $navigation.= $lang['home']; $navigation.= '</a>'; @@ -238,7 +238,7 @@ else $template->assign_vars(array( 'CATEGORIES_NAV'=>$navigation, 'NEXT_RANK'=>$next_rank, - 'F_ACTION'=>add_session_id($form_action), + 'F_ACTION'=>$form_action, 'L_ADD_VIRTUAL'=>$lang['cat_add'], 'L_SUBMIT'=>$lang['submit'], @@ -318,14 +318,9 @@ foreach ($categories as $category) 'ID'=>$category['id'], 'RANK'=>$category['rank']*10, - 'U_JUMPTO'=> - add_session_id(PHPWG_ROOT_PATH.'category.php?cat='.$category['id']), - - 'U_CHILDREN'=> - add_session_id($cat_list_url.'&parent_id='.$category['id']), - - 'U_EDIT'=> - add_session_id($base_url.'cat_modify&cat_id='.$category['id']) + 'U_JUMPTO'=>PHPWG_ROOT_PATH.'category.php?cat='.$category['id'], + 'U_CHILDREN'=>$cat_list_url.'&parent_id='.$category['id'], + 'U_EDIT'=>$base_url.'cat_modify&cat_id='.$category['id'] ) ); @@ -334,7 +329,7 @@ foreach ($categories as $category) $template->assign_block_vars( 'category.delete', array( - 'URL'=>add_session_id($self_url.'&delete='.$category['id']) + 'URL'=>$self_url.'&delete='.$category['id'] ) ); } @@ -344,7 +339,7 @@ foreach ($categories as $category) $template->assign_block_vars( 'category.elements', array( - 'URL'=>add_session_id($base_url.'element_set&cat='.$category['id']) + 'URL'=>$base_url.'element_set&cat='.$category['id'] ) ); } @@ -354,7 +349,7 @@ foreach ($categories as $category) $template->assign_block_vars( 'category.permissions', array( - 'URL'=>add_session_id($base_url.'cat_perm&cat='.$category['id']) + 'URL'=>$base_url.'cat_perm&cat='.$category['id'] ) ); } diff --git a/admin/cat_modify.php b/admin/cat_modify.php index 0d82c13d4..8291e9030 100644 --- a/admin/cat_modify.php +++ b/admin/cat_modify.php @@ -171,13 +171,11 @@ $template->assign_vars(array( 'L_SUBMIT'=>$lang['submit'], 'L_SET_RANDOM_REPRESENTANT'=>$lang['cat_representant'], - 'U_JUMPTO'=> - add_session_id(PHPWG_ROOT_PATH.'category.php?cat='.$category['id']), - 'U_CHILDREN'=> - add_session_id($cat_list_url.'&parent_id='.$category['id']), + 'U_JUMPTO'=>PHPWG_ROOT_PATH.'category.php?cat='.$category['id'], + 'U_CHILDREN'=>$cat_list_url.'&parent_id='.$category['id'], 'U_HELP' => PHPWG_ROOT_PATH.'/popuphelp.php?page=cat_modify', - 'F_ACTION'=>add_session_id($form_action) + 'F_ACTION'=>$form_action )); @@ -186,7 +184,7 @@ if ('private' == $category['status']) $template->assign_block_vars( 'permissions', array( - 'URL'=>add_session_id($base_url.'cat_perm&cat='.$category['id']) + 'URL'=>$base_url.'cat_perm&cat='.$category['id'] ) ); } @@ -197,7 +195,7 @@ if ($category['nb_images'] > 0) $template->assign_block_vars( 'elements', array( - 'URL'=>add_session_id($base_url.'element_set&cat='.$category['id']) + 'URL'=>$base_url.'element_set&cat='.$category['id'] ) ); } @@ -267,7 +265,7 @@ else $template->assign_block_vars( 'delete', array( - 'URL'=>add_session_id($self_url.'&delete='.$category['id']) + 'URL'=>$self_url.'&delete='.$category['id'] ) ); diff --git a/admin/cat_move.php b/admin/cat_move.php index 7760b6494..0d030dca0 100644 --- a/admin/cat_move.php +++ b/admin/cat_move.php @@ -68,7 +68,7 @@ $template->set_filenames( $template->assign_vars( array( - 'F_ACTION' => add_session_id(PHPWG_ROOT_PATH.'admin.php?page=cat_move'), + 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=cat_move', ) ); diff --git a/admin/cat_options.php b/admin/cat_options.php index f8ca7527b..a43a4ec61 100644 --- a/admin/cat_options.php +++ b/admin/cat_options.php @@ -153,7 +153,7 @@ $template->assign_vars( 'U_HELP' => PHPWG_ROOT_PATH.'/popuphelp.php?page=cat_options', - 'F_ACTION'=>add_session_id($base_url.$page['section']) + 'F_ACTION'=>$base_url.$page['section'] ) ); diff --git a/admin/cat_perm.php b/admin/cat_perm.php index f0c961103..95e9edaa9 100644 --- a/admin/cat_perm.php +++ b/admin/cat_perm.php @@ -207,10 +207,7 @@ $template->assign_vars( 'admin.php?page=cat_modify&cat_id=' ), 'U_HELP' => PHPWG_ROOT_PATH.'/popuphelp.php?page=cat_perm', - 'F_ACTION' => - add_session_id( - PHPWG_ROOT_PATH.'admin.php?page=cat_perm&cat='.$page['cat'] - ) + 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=cat_perm&cat='.$page['cat'] ) ); diff --git a/admin/comments.php b/admin/comments.php index 53d498c84..ef366c783 100644 --- a/admin/comments.php +++ b/admin/comments.php @@ -117,7 +117,7 @@ $template->set_filenames(array('comments'=>'admin/comments.tpl')); $template->assign_vars( array( - 'F_ACTION' => add_session_id(PHPWG_ROOT_PATH.'admin.php?page=comments') + 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=comments' ) ); @@ -141,10 +141,8 @@ while ($row = mysql_fetch_array($result)) 'comment', array( 'U_PICTURE' => - add_session_id( PHPWG_ROOT_PATH.'admin.php?page=picture_modify'. - '&image_id='.$row['image_id'] - ), + '&image_id='.$row['image_id'], 'ID' => $row['id'], 'TN_SRC' => get_thumbnail_src($row['path'], @$row['tn_ext']), 'AUTHOR' => $row['author'], diff --git a/admin/configuration.php b/admin/configuration.php index bb1c82646..0d0ee4476 100644 --- a/admin/configuration.php +++ b/admin/configuration.php @@ -149,7 +149,7 @@ $template->assign_vars( 'U_HELP' => PHPWG_ROOT_PATH.'/popuphelp.php?page=configuration', - 'F_ACTION'=>add_session_id($action) + 'F_ACTION'=>$action )); switch ($page['section']) diff --git a/admin/element_set_unit.php b/admin/element_set_unit.php index fbffe99dd..f3bf12bbd 100644 --- a/admin/element_set_unit.php +++ b/admin/element_set_unit.php @@ -222,10 +222,8 @@ SELECT id,path,tn_ext,name,date_creation,comment,keywords,author,file !empty($row['name']) ? $row['name'] : get_name_from_file($row['file']), 'U_EDIT' => - add_session_id( PHPWG_ROOT_PATH.'admin.php?page=picture_modify'. - '&image_id='.$row['id'] - ), + '&image_id='.$row['id'], 'ID' => $row['id'], 'FILENAME' => $row['path'], 'TN_SRC' => $src, diff --git a/admin/group_list.php b/admin/group_list.php index 7bc08b3f4..0a9946fe5 100644 --- a/admin/group_list.php +++ b/admin/group_list.php @@ -124,8 +124,7 @@ $template->set_filenames(array('group_list' => 'admin/group_list.tpl')); $template->assign_vars( array( - 'F_ADD_ACTION' => - add_session_id(PHPWG_ROOT_PATH.'admin.php?page=group_list') + 'F_ADD_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=group_list' ) ); diff --git a/admin/group_perm.php b/admin/group_perm.php index 5c974008e..2c474eb89 100644 --- a/admin/group_perm.php +++ b/admin/group_perm.php @@ -140,11 +140,9 @@ $template->assign_vars( 'L_CAT_OPTIONS_INFO'=>$lang['permuser_info'], 'F_ACTION' => - add_session_id( PHPWG_ROOT_PATH. 'admin.php?page=group_perm&group_id='. $page['group'] - ) ) ); diff --git a/admin/intro.php b/admin/intro.php index 71a657c03..a72171ec0 100644 --- a/admin/intro.php +++ b/admin/intro.php @@ -175,10 +175,8 @@ $template->assign_vars( 'DB_USERS' => sprintf(l10n('%d users'), $nb_users), 'DB_GROUPS' => sprintf(l10n('%d groups'), $nb_groups), 'DB_COMMENTS' => sprintf(l10n('%d comments'), $nb_comments), - 'U_CHECK_UPGRADE' => - add_session_id(PHPWG_ROOT_PATH.'admin.php?action=check_upgrade'), - 'U_PHPINFO' => - add_session_id(PHPWG_ROOT_PATH.'admin.php?action=phpinfo') + 'U_CHECK_UPGRADE' => PHPWG_ROOT_PATH.'admin.php?action=check_upgrade', + 'U_PHPINFO' => PHPWG_ROOT_PATH.'admin.php?action=phpinfo' ) ); @@ -215,7 +213,7 @@ if ($nb_waiting > 0) $template->assign_block_vars( 'waiting', array( - 'URL' => add_session_id(PHPWG_ROOT_PATH.'admin.php?page=waiting'), + 'URL' => PHPWG_ROOT_PATH.'admin.php?page=waiting', 'INFO' => sprintf(l10n('%d waiting for validation'), $nb_waiting) ) ); @@ -234,7 +232,7 @@ if ($nb_comments > 0) $template->assign_block_vars( 'unvalidated', array( - 'URL' => add_session_id(PHPWG_ROOT_PATH.'admin.php?page=comments'), + 'URL' => PHPWG_ROOT_PATH.'admin.php?page=comments', 'INFO' => sprintf(l10n('%d waiting for validation'), $nb_comments) ) ); diff --git a/admin/maintenance.php b/admin/maintenance.php index ec45196db..067f1ff82 100644 --- a/admin/maintenance.php +++ b/admin/maintenance.php @@ -98,11 +98,11 @@ $start_url = PHPWG_ROOT_PATH.'admin.php?page=maintenance&action='; $template->assign_vars( array( - 'U_MAINT_CATEGORIES' => add_session_id($start_url.'categories'), - 'U_MAINT_IMAGES' => add_session_id($start_url.'images'), - 'U_MAINT_HISTORY' => add_session_id($start_url.'history'), - 'U_MAINT_SESSIONS' => add_session_id($start_url.'sessions'), - 'U_MAINT_FEEDS' => add_session_id($start_url.'feeds'), + 'U_MAINT_CATEGORIES' => $start_url.'categories', + 'U_MAINT_IMAGES' => $start_url.'images', + 'U_MAINT_HISTORY' => $start_url.'history', + 'U_MAINT_SESSIONS' => $start_url.'sessions', + 'U_MAINT_FEEDS' => $start_url.'feeds', 'U_HELP' => PHPWG_ROOT_PATH.'/popuphelp.php?page=maintenance', ) ); diff --git a/admin/picture_modify.php b/admin/picture_modify.php index a8fa2b953..097857ec5 100644 --- a/admin/picture_modify.php +++ b/admin/picture_modify.php @@ -195,12 +195,10 @@ $template->set_filenames( $template->assign_vars( array( 'U_SYNC' => - add_session_id( PHPWG_ROOT_PATH.'admin.php?page=picture_modify'. '&image_id='.$_GET['image_id']. (isset($_GET['cat_id']) ? '&cat_id='.$_GET['cat_id'] : ''). - '&sync_metadata=1' - ), + '&sync_metadata=1', 'PATH'=>$row['path'], @@ -230,10 +228,8 @@ $template->assign_vars( stripslashes($_POST['description']) : @$row['comment'], 'F_ACTION' => - add_session_id( PHPWG_ROOT_PATH.'admin.php' .get_query_string_diff(array('sync_metadata')) - ) ) ); diff --git a/admin/remote_site.php b/admin/remote_site.php index fb778084f..1ce1813a2 100644 --- a/admin/remote_site.php +++ b/admin/remote_site.php @@ -515,7 +515,7 @@ $template->assign_vars( 'U_HELP' => PHPWG_ROOT_PATH.'/popuphelp.php?page=remote_site', - 'F_ACTION'=>add_session_id(PHPWG_ROOT_PATH.'admin.php?page=remote_site') + 'F_ACTION'=>PHPWG_ROOT_PATH.'admin.php?page=remote_site' ) ); @@ -686,7 +686,7 @@ else 'local', array( 'URL' => $url, - 'U_UPDATE' => add_session_id($base_url.'local_update') + 'U_UPDATE' => $base_url.'local_update' ) ); @@ -731,10 +731,10 @@ while ($row = mysql_fetch_array($result)) 'sites.site', array( 'NAME' => $row['galleries_url'], - 'U_GENERATE' => add_session_id($base_url.'generate'), - 'U_UPDATE' => add_session_id($base_url.'update'), - 'U_CLEAN' => add_session_id($base_url.'clean'), - 'U_DELETE' => add_session_id($base_url.'delete') + 'U_GENERATE' => $base_url.'generate', + 'U_UPDATE' => $base_url.'update', + 'U_CLEAN' => $base_url.'clean', + 'U_DELETE' => $base_url.'delete' ) ); } diff --git a/admin/stats.php b/admin/stats.php index 1a821a476..02d7ec5d8 100644 --- a/admin/stats.php +++ b/admin/stats.php @@ -62,7 +62,7 @@ if (isset($_GET['day']) && isset($_GET['month']) && isset($_GET['year']) ) $date_of_day=$_GET['day'].' '.$lang['month'][$_GET['month']].' '.$_GET['year']; $title_page=$lang['stats_day_title'].' du '.$date_of_day; $url_back = PHPWG_ROOT_PATH."admin.php?page=stats"; - $url_back = add_session_id($url_back); + $url_back = $url_back; $title_details='<a href='.$url_back.'>'.$lang['stats_day_title'].'</a>'; $title_day = $date_of_day; } @@ -71,7 +71,7 @@ elseif ( isset($_GET['month']) && isset($_GET['year']) ) $date_of_day=$lang['month'][$_GET['month']].' '.$_GET['year']; $title_page=$lang['stats_month_title'].' : '.$date_of_day; $url_back = PHPWG_ROOT_PATH."admin.php?page=stats"; - $url_back = add_session_id($url_back); + $url_back = $url_back; $title_details='<a href='.$url_back.'>'.$lang['stats_day_title'].'</a>'; $title_day=$lang['today']; } @@ -105,7 +105,7 @@ $template->assign_vars(array( 'L_STAT_FILE'=>$lang['stats_file'], 'L_STAT_PICTURE'=>$lang['stats_picture'], - 'IMG_REPORT'=>add_session_id($url_img) + 'IMG_REPORT'=>$url_img )); //---------------------------------------------------------------- log history @@ -141,7 +141,7 @@ while ( $row = mysql_fetch_array( $result ) ) .'&day='.$row['d'] ; - $value = '<a href="'.add_session_id($url).'">'; + $value = '<a href="'.$url.'">'; $value.= $row['d'].' ('.$week_day.')'; $value.= "</a>"; } @@ -160,7 +160,7 @@ while ( $row = mysql_fetch_array( $result ) ) .'&month='.$row['m'] ; - $value = '<a href="'.add_session_id($url).'">'; + $value = '<a href="'.$url.'">'; $value.= $lang['month'][$row['m']].' '.$row['y']; $value.= "</a>"; } diff --git a/admin/thumbnail.php b/admin/thumbnail.php index 5193388d7..88ffdc952 100644 --- a/admin/thumbnail.php +++ b/admin/thumbnail.php @@ -358,7 +358,7 @@ if (count($remainings) > 0) $template->assign_block_vars( 'params', array( - 'F_ACTION'=>add_session_id($form_url), + 'F_ACTION'=>$form_url, $gdlabel=>'checked="checked"', $nlabel=>'checked="checked"', 'WIDTH_TN'=>$width, diff --git a/admin/user_list.php b/admin/user_list.php index f069dfe63..ea1748a2d 100644 --- a/admin/user_list.php +++ b/admin/user_list.php @@ -424,7 +424,7 @@ while ($row = mysql_fetch_array($result)) $template->set_filenames(array('user_list'=>'admin/user_list.tpl')); -$base_url = add_session_id(PHPWG_ROOT_PATH.'admin.php?page=user_list'); +$base_url = PHPWG_ROOT_PATH.'admin.php?page=user_list'; if (isset($_GET['start']) and is_numeric($_GET['start'])) { @@ -790,8 +790,8 @@ foreach ($page['filtered_users'] as $num => $local_user) 'CLASS' => ($num % 2 == 1) ? 'row2' : 'row1', 'ID' => $local_user['id'], 'CHECKED' => $checked, - 'U_MOD' => add_session_id($profile_url.$local_user['id']), - 'U_PERM' => add_session_id($perm_url.$local_user['id']), + 'U_MOD' => $profile_url.$local_user['id'], + 'U_PERM' => $perm_url.$local_user['id'], 'USERNAME' => $local_user['username'], 'STATUS' => $lang['user_status_'.$local_user['status']], 'EMAIL' => isset($local_user['email']) ? $local_user['email'] : '', diff --git a/admin/user_perm.php b/admin/user_perm.php index 400678ce2..91ade3618 100644 --- a/admin/user_perm.php +++ b/admin/user_perm.php @@ -133,11 +133,9 @@ $template->assign_vars( 'L_CAT_OPTIONS_FALSE'=>$lang['forbidden'], 'F_ACTION' => - add_session_id( PHPWG_ROOT_PATH. 'admin.php?page=user_perm'. '&user_id='.$page['user'] - ) ) ); diff --git a/admin/waiting.php b/admin/waiting.php index 7c8e05b51..647fcafe2 100644 --- a/admin/waiting.php +++ b/admin/waiting.php @@ -148,7 +148,7 @@ $template->assign_vars(array( 'L_RESET'=>$lang['reset'], 'L_DELETE'=>$lang['delete'], - 'F_ACTION'=>add_session_id(str_replace( '&', '&', $_SERVER['REQUEST_URI'] )) + 'F_ACTION'=>str_replace( '&', '&', $_SERVER['REQUEST_URI']) )); //---------------------------------------------------------------- form display |