Improve security of sessions:

- use only cookies to store session id on client side
- use default php session system with database handler to store sessions on server side

git-svn-id: http://piwigo.org/svn/trunk@1004 68402e56-0260-453c-a942-63ccdbb3a9ee

1 files changed, 7 insertions, 6 deletions

diff --git a/identification.php b/identification.php
index c55e009ed..223e6c1e9 100644
--- a/identification.php
+++ b/identification.php
@@ -51,8 +51,9 @@ SELECT '.$conf['user_fields']['id'].' AS id,
     {
       $session_length = $conf['remember_me_length'];
     }
-    $session_id = session_create($row['id'], $session_length);
-    redirect('category.php?id='.$session_id);
+    session_start();
+    $_SESSION['id'] = $row['id'];
+    redirect('category.php');
   }
   else
   {
@@ -80,11 +81,11 @@ $template->assign_vars(
     'L_FORGET' => $lang['ident_forgotten_password'],
     'L_REMEMBER_ME'=>$lang['remember_me'],
 
-    'U_REGISTER' => add_session_id(PHPWG_ROOT_PATH.'register.php'),
-    'U_LOST_PASSWORD' => add_session_id(PHPWG_ROOT_PATH.'password.php'),
-    'U_HOME' => add_session_id(PHPWG_ROOT_PATH.'category.php'),
+    'U_REGISTER' => PHPWG_ROOT_PATH.'register.php',
+    'U_LOST_PASSWORD' => PHPWG_ROOT_PATH.'password.php',
+    'U_HOME' => PHPWG_ROOT_PATH.'category.php',
     
-    'F_LOGIN_ACTION' => add_session_id(PHPWG_ROOT_PATH.'identification.php')
+    'F_LOGIN_ACTION' => PHPWG_ROOT_PATH.'identification.php'
     ));
 
 if ($conf['authorize_remembering'])