From 4d86bb2234af3939f1e8add3633deaa425fe526e Mon Sep 17 00:00:00 2001 From: rvelices Date: Fri, 12 Sep 2008 02:17:35 +0000 Subject: - images.file categories.permalink old_permalinks.permalink - become binary - session security improvement: now the sessions are valid only for originating ip addr (with mask 255.255.0.0 to allow users behind load balancing proxies) -> stealing the session cookie is almost a non issue (with the exception of the 65536 machines in range) - metadata sync from the sync button does not overwrite valid data with empty metadata - other small fixes/enhancements: - added event get_category_image_orders - fix display issue with redirect.tpl (h1/h2 within h1) - fix known_script smarty function registration - query search form not submitted if q is empty - better admin css rules - some other minor changes (ws_core, rest_handler, functions_search...) git-svn-id: http://piwigo.org/svn/trunk@2521 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/functions_session.inc.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'include/functions_session.inc.php') diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index f17f2377a..dce1551ea 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -90,6 +90,11 @@ function pwg_session_close() return true; } +function get_remote_addr_session_hash() +{ + return vsprintf( "%02X%02X", explode('.',$_SERVER['REMOTE_ADDR']) ); +} + /** * this function returns * a string corresponding to the value of the variable save in the session @@ -102,7 +107,7 @@ function pwg_session_read($session_id) $query = ' SELECT data FROM '.SESSIONS_TABLE.' - WHERE id = \''.$session_id.'\' + WHERE id = \''.get_remote_addr_session_hash().$session_id.'\' ;'; $result = pwg_query($query); if ($result) @@ -128,7 +133,7 @@ function pwg_session_write($session_id, $data) UPDATE '.SESSIONS_TABLE.' SET expiration = now(), data = \''.$data.'\' - WHERE id = \''.$session_id.'\' + WHERE id = \''.get_remote_addr_session_hash().$session_id.'\' ;'; pwg_query($query); if ( mysql_affected_rows()>0 ) @@ -138,7 +143,7 @@ UPDATE '.SESSIONS_TABLE.' $query = ' INSERT INTO '.SESSIONS_TABLE.' (id,data,expiration) - VALUES(\''.$session_id.'\',\''.$data.'\',now()) + VALUES(\''.get_remote_addr_session_hash().$session_id.'\',\''.$data.'\',now()) ;'; mysql_query($query); return true; @@ -154,7 +159,7 @@ function pwg_session_destroy($session_id) $query = ' DELETE FROM '.SESSIONS_TABLE.' - WHERE id = \''.$session_id.'\' + WHERE id = \''.get_remote_addr_session_hash().$session_id.'\' ;'; pwg_query($query); return true; -- cgit v1.2.3