aboutsummaryrefslogtreecommitdiffstats
path: root/include/user.inc.php
diff options
context:
space:
mode:
authornikrou <nikrou@piwigo.org>2006-01-15 13:45:42 +0000
committernikrou <nikrou@piwigo.org>2006-01-15 13:45:42 +0000
commitc3397a2c73273ba5414d976ab7f45ae5e71a8a33 (patch)
treee59456bdf40caf57ca5d3586190c3b3f6e8eb463 /include/user.inc.php
parentb223bb495dbfa1611766cdc528c9eb1af56c43e3 (diff)
Improve security of sessions:
- use only cookies to store session id on client side - use default php session system with database handler to store sessions on server side git-svn-id: http://piwigo.org/svn/trunk@1004 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--include/user.inc.php63
1 files changed, 16 insertions, 47 deletions
diff --git a/include/user.inc.php b/include/user.inc.php
index 8b51935a0..04adde9ac 100644
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -26,55 +26,24 @@
// +-----------------------------------------------------------------------+
// retrieving connected user informations
-if (isset($_COOKIE['id']))
+if (isset($_COOKIE[session_name()]))
{
- $session_id = $_COOKIE['id'];
- $user['has_cookie'] = true;
-}
-else if (isset($_GET['id']))
-{
- $session_id = $_GET['id'];
- $user['has_cookie'] = false;
-}
-else
-{
- $user['has_cookie'] = false;
-}
-
-if (isset($session_id)
- and ereg("^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id))
-{
- $page['session_id'] = $session_id;
- $query = '
-SELECT user_id,expiration,NOW() AS now
- FROM '.SESSIONS_TABLE.'
- WHERE id = \''.$page['session_id'].'\'
-;';
- $result = pwg_query($query);
- if (mysql_num_rows($result) > 0)
- {
- $row = mysql_fetch_array($result);
- if (strnatcmp($row['expiration'], $row['now']) < 0)
- {
- // deletion of the session from the database, because it is
- // out-of-date
- $delete_query = '
-DELETE FROM '.SESSIONS_TABLE.'
- WHERE id = \''.$page['session_id'].'\'
-;';
- pwg_query($delete_query);
- }
- else
- {
- $user['id'] = $row['user_id'];
- $user['is_the_guest'] = false;
- }
- }
-}
-if (!isset($user['id']))
+ session_start();
+ if (isset($_SESSION['id']))
+ {
+ $user['id'] = $_SESSION['id'];
+ }
+ else
+ {
+ // session timeout
+ $user['id'] = $conf['guest_id'];
+ $user['is_the_guest'] = true;
+ }
+}
+else
{
- $user['id'] = $conf['guest_id'];
- $user['is_the_guest'] = true;
+ $user['id'] = $conf['guest_id'];
+ $user['is_the_guest'] = true;
}
// using Apache authentication override the above user search