diff options
| author | nikrou <nikrou@piwigo.org> | 2006-01-15 13:49:29 +0000 |
|---|---|---|
| committer | nikrou <nikrou@piwigo.org> | 2006-01-15 13:49:29 +0000 |
| commit | 71d78a813f9b10c2fada4eaa25104a9c364ced6f (patch) | |
| tree | 6ddcab6acb896db36266baaf3dd3afb7cb40fd55 /include | |
| parent | 9d6404ad36375079e815979bd4bf476a5195df5e (diff) | |
Revert to revision 1002
git-svn-id: http://piwigo.org/svn/branches/branch-1_5@1005 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
| -rw-r--r-- | include/category_calendar.inc.php | 11 | ||||
| -rw-r--r-- | include/category_default.inc.php | 2 | ||||
| -rw-r--r-- | include/category_recent_cats.inc.php | 2 | ||||
| -rw-r--r-- | include/category_subcats.inc.php | 2 | ||||
| -rw-r--r-- | include/config_default.inc.php | 25 | ||||
| -rw-r--r-- | include/functions_category.inc.php | 2 | ||||
| -rw-r--r-- | include/functions_html.inc.php | 20 | ||||
| -rw-r--r-- | include/functions_session.inc.php | 154 | ||||
| -rw-r--r-- | include/page_header.php | 2 | ||||
| -rw-r--r-- | include/user.inc.php | 63 |
10 files changed, 174 insertions, 109 deletions
diff --git a/include/category_calendar.inc.php b/include/category_calendar.inc.php index fb2fffd09..a355a9339 100644 --- a/include/category_calendar.inc.php +++ b/include/category_calendar.inc.php @@ -67,6 +67,7 @@ foreach ($calendar_years as $calendar_year => $nb_picture_year) { $url = PHPWG_ROOT_PATH.'category.php?cat=calendar'; $url.= '&year='.$calendar_year; + $url = add_session_id($url); $years_nav_bar.= ' <a href="'.$url.'">'.$calendar_year.'</a>'; } } @@ -123,7 +124,7 @@ SELECT DISTINCT(MONTH('.$conf['calendar_datefield'].')) AS month $url = PHPWG_ROOT_PATH.'category.php?cat=calendar&month='; $url.= $page['calendar_year'].'.'.sprintf('%02s', $calendar_month); $months_nav_bar.= ' '; - $months_nav_bar.= '<a href="'.$url.'">'; + $months_nav_bar.= '<a href="'.add_session_id($url).'">'; $months_nav_bar.= $lang['month'][(int)$calendar_month]; $months_nav_bar.= '</a>'; } @@ -247,7 +248,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path 'IMAGE_ALT'=>$row['file'], 'IMAGE_TITLE'=>$thumbnail_title, - 'U_IMG_LINK'=>$url_link + 'U_IMG_LINK'=>add_session_id($url_link) ) ); @@ -307,7 +308,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path 'IMAGE_ALT'=>$row['file'], 'IMAGE_TITLE'=>$thumbnail_title, - 'U_IMG_LINK'=>$url_link + 'U_IMG_LINK'=>add_session_id($url_link) ) ); @@ -361,7 +362,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path 'IMAGE_ALT'=>$row['file'], 'IMAGE_TITLE'=>$thumbnail_title, - 'U_IMG_LINK'=>$url_link + 'U_IMG_LINK'=>add_session_id($url_link) ) ); @@ -435,7 +436,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path 'IMAGE_ALT'=>$row['file'], 'IMAGE_TITLE'=>$thumbnail_title, - 'U_IMG_LINK'=>$url_link + 'U_IMG_LINK'=>add_session_id($url_link) ) ); diff --git a/include/category_default.inc.php b/include/category_default.inc.php index 0965b331e..d553e9e05 100644 --- a/include/category_default.inc.php +++ b/include/category_default.inc.php @@ -89,7 +89,7 @@ while ($row = mysql_fetch_array($result)) 'IMAGE_TITLE' => $thumbnail_title, 'IMAGE_TS' => get_icon($row['date_available']), - 'U_IMG_LINK' => $url_link + 'U_IMG_LINK' => add_session_id($url_link) ) ); diff --git a/include/category_recent_cats.inc.php b/include/category_recent_cats.inc.php index 298def21d..1b3e84f1e 100644 --- a/include/category_recent_cats.inc.php +++ b/include/category_recent_cats.inc.php @@ -78,7 +78,7 @@ while ( $row = mysql_fetch_array( $result ) ) 'IMAGE_ALT' => $row['file'], 'IMAGE_TITLE' => $lang['hint_category'], - 'U_IMG_LINK' => $url_link + 'U_IMG_LINK' => add_session_id($url_link) ) ); diff --git a/include/category_subcats.inc.php b/include/category_subcats.inc.php index 5f64a3a7f..8e40d8498 100644 --- a/include/category_subcats.inc.php +++ b/include/category_subcats.inc.php @@ -152,7 +152,7 @@ SELECT id, path, tn_ext 'IMAGE_TITLE' => $lang['hint_category'], 'IMAGE_TS' => get_icon(@$item['date_last']), 'U_IMG_LINK' => - PHPWG_ROOT_PATH.'category.php?cat='.$item['category'] + add_session_id(PHPWG_ROOT_PATH.'category.php?cat='.$item['category']) ) ); diff --git a/include/config_default.inc.php b/include/config_default.inc.php index 96272dee6..33b9eab0b 100644 --- a/include/config_default.inc.php +++ b/include/config_default.inc.php @@ -256,21 +256,6 @@ $conf['use_exif_mapping'] = array( // | sessions | // +-----------------------------------------------------------------------+ -// specifies to use cookie to store the session id on client side -$conf['session_use_cookies'] = 1; - -// specifies to only use cookie to store the session id on client side -$conf['session_use_only_cookies'] = 1; - -// do not use transparent session id support -$conf['session_use_trans_sid'] = 0; - -// specifies the name of the session which is used as cookie name -$conf['session_name'] = 'pwg_id'; - -// comment the line below to use file handler for sessions. -$conf['session_save_handler'] = 'db'; - // authorize_remembering : permits user to stay logged for a long time. It // creates a cookie on client side. $conf['authorize_remembering'] = true; @@ -282,6 +267,16 @@ $conf['remember_me_length'] = 31536000; // session_length : time of validity for normal session, in seconds. $conf['session_length'] = 3600; +// session_id_size : a session identifier is compound of alphanumeric +// characters and is case sensitive. Each character is among 62 +// possibilities. The number of possible sessions is +// 62^$conf['session_id_size']. +// +// 62^5 = 916,132,832 +// 62^10 = 839,299,365,868,340,224 +// +$conf['session_id_size'] = 10; + // +-----------------------------------------------------------------------+ // | debug | // +-----------------------------------------------------------------------+ diff --git a/include/functions_category.inc.php b/include/functions_category.inc.php index 4c5f1f4be..ad118a905 100644 --- a/include/functions_category.inc.php +++ b/include/functions_category.inc.php @@ -47,7 +47,7 @@ function check_restrictions($category_id) if (in_array($category_id, explode(',', $user['forbidden_categories']))) { echo '<div style="text-align:center;">'.$lang['access_forbiden'].'<br />'; - echo '<a href="./category.php">'; + echo '<a href="'.add_session_id( './category.php' ).'">'; echo $lang['thumbnails'].'</a></div>'; exit(); } diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php index a2c45b7ef..50a999854 100644 --- a/include/functions_html.inc.php +++ b/include/functions_html.inc.php @@ -82,7 +82,7 @@ function create_navigation_bar($url, $nb_element, $start, if ($cur_page != 1) { $navbar.= '<a href="'; - $navbar.= $url.'&start=0'; + $navbar.= add_session_id($url.'&start=0'); $navbar.= '" class="'.$link_class.'">'.$lang['first_page']; $navbar.= '</a>'; } @@ -96,7 +96,7 @@ function create_navigation_bar($url, $nb_element, $start, { $previous = $start - $nb_element_page; $navbar.= '<a href="'; - $navbar.= $url.'&start='.$previous; + $navbar.= add_session_id( $url.'&start='.$previous ); $navbar.= '" class="'.$link_class.'">'.$lang['previous_page']; $navbar.= '</a>'; } @@ -109,7 +109,7 @@ function create_navigation_bar($url, $nb_element, $start, if ($cur_page > $pages_around + 1) { $navbar.= ' <a href="'; - $navbar.= $url.'&start=0'; + $navbar.= add_session_id($url.'&start=0'); $navbar.= '" class="'.$link_class.'">1</a>'; if ($cur_page > $pages_around + 2) { @@ -130,7 +130,7 @@ function create_navigation_bar($url, $nb_element, $start, { $temp_start = ($i - 1) * $nb_element_page; $navbar.= ' <a href="'; - $navbar.= $url.'&start='.$temp_start; + $navbar.= add_session_id($url.'&start='.$temp_start); $navbar.= '" class="'.$link_class.'">'.$i.'</a>'; } else @@ -148,7 +148,7 @@ function create_navigation_bar($url, $nb_element, $start, $navbar.= ' ...'; } $navbar.= ' <a href="'; - $navbar.= $url.'&start='.$temp_start; + $navbar.= add_session_id($url.'&start='.$temp_start); $navbar.= '" class="'.$link_class.'">'.$maximum.'</a>'; } @@ -159,7 +159,7 @@ function create_navigation_bar($url, $nb_element, $start, { $next = $start + $nb_element_page; $navbar.= '<a href="'; - $navbar.= $url.'&start='.$next; + $navbar.= add_session_id( $url.'&start='.$next ); $navbar.= '" class="'.$link_class.'">'.$lang['next_page'].'</a>'; } else @@ -173,7 +173,7 @@ function create_navigation_bar($url, $nb_element, $start, { $temp_start = ($maximum - 1) * $nb_element_page; $navbar.= '<a href="'; - $navbar.= $url.'&start='.$temp_start; + $navbar.= add_session_id($url.'&start='.$temp_start); $navbar.= '" class="'.$link_class.'">'.$lang['last_page']; $navbar.= '</a>'; } @@ -242,7 +242,7 @@ function get_cat_display_name($cat_informations, else { $output.= '<a class=""'; - $output.= ' href="'.PHPWG_ROOT_PATH.$url.$id.'">'; + $output.= ' href="'.add_session_id(PHPWG_ROOT_PATH.$url.$id).'">'; $output.= $name.'</a>'; } } @@ -311,7 +311,7 @@ SELECT id,name { $output.= ' <a class="" - href="'.PHPWG_ROOT_PATH.$url.$category_id.'">'.$name.'</a>'; + href="'.add_session_id(PHPWG_ROOT_PATH.$url.$category_id).'">'.$name.'</a>'; } } if ($replace_space) @@ -370,7 +370,7 @@ function get_html_menu_category($categories) } $menu.= '>'; - $url = PHPWG_ROOT_PATH.'category.php?cat='.$category['id']; + $url = add_session_id(PHPWG_ROOT_PATH.'category.php?cat='.$category['id']); $menu.= "\n".'<a href="'.$url.'">'.$category['name'].'</a>'; if ($category['nb_images'] > 0) diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index 98a85c876..8a3bb911c 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -25,77 +25,115 @@ // | USA. | // +-----------------------------------------------------------------------+ -if (isset($conf['session_save_handler']) and ($conf['session_save_handler'] == 'db')) { - session_set_save_handler('pwg_session_open', - 'pwg_session_close', - 'pwg_session_read', - 'pwg_session_write', - 'pwg_session_destroy', - 'pwg_session_gc' - ); -} - -ini_set('session.use_cookies', $conf['session_use_cookies']); -ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); -ini_set('session.use_trans_sid', $conf['session_use_trans_sid']); -ini_set('session.name', $conf['session_name']); - -function pwg_session_open($path, $name) +// The function generate_key creates a string with pseudo random characters. +// the size of the string depends on the $conf['session_id_size']. +// Characters used are a-z A-Z and numerical values. Examples : +// "Er4Tgh6", "Rrp08P", "54gj" +// input : none (using global variable) +// output : $key +function generate_key($size) { - return true; -} + global $conf; -function pwg_session_close() -{ - pwg_session_gc(); - return true; + $md5 = md5(substr(microtime(), 2, 6)); + $init = ''; + for ( $i = 0; $i < strlen( $md5 ); $i++ ) + { + if ( is_numeric( $md5[$i] ) ) $init.= $md5[$i]; + } + $init = substr( $init, 0, 8 ); + mt_srand( $init ); + $key = ''; + for ( $i = 0; $i < $size; $i++ ) + { + $c = mt_rand( 0, 2 ); + if ( $c == 0 ) $key .= chr( mt_rand( 65, 90 ) ); + else if ( $c == 1 ) $key .= chr( mt_rand( 97, 122 ) ); + else $key .= mt_rand( 0, 9 ); + } + return $key; } -function pwg_session_read($session_id) +/** + * create a new session and returns the session identifier + * + * - find a non-already-used session key + * - create a session in database + * - return session identifier + * + * @param int userid + * @param int session_lentgh : in seconds + * @return string + */ +function session_create($userid, $session_length) { - $query = "SELECT data FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; - $result = pwg_query($query); - if ($result) { - $row = mysql_fetch_assoc($result); - return $row['data']; - } else { - return ''; + global $conf; + + // 1. searching an unused session key + $id_found = false; + while (!$id_found) + { + $generated_id = generate_key($conf['session_id_size']); + $query = ' +SELECT id + FROM '.SESSIONS_TABLE.' + WHERE id = \''.$generated_id.'\' +;'; + $result = pwg_query($query); + if (mysql_num_rows($result) == 0) + { + $id_found = true; + } } + // 3. inserting session in database + $query = ' +INSERT INTO '.SESSIONS_TABLE.' + (id,user_id,expiration) + VALUES + (\''.$generated_id.'\','.$userid.', + ADDDATE(NOW(), INTERVAL '.$session_length.' SECOND)) +;'; + pwg_query($query); + + $expiration = $session_length + time(); + setcookie('id', $generated_id, $expiration, cookie_path()); + + return $generated_id; } -function pwg_session_write($session_id, $data) +// add_session_id adds the id of the session to the string given in +// parameter as $url. If the session id is the first parameter to the url, +// it is preceded by a '?', else it is preceded by a '&'. If the +// parameter $redirect is set to true, '&' is used instead of '&'. +function add_session_id( $url, $redirect = false ) { - $query = "SELECT id FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; - $result = pwg_query($query); - if (mysql_num_rows($result)) { - $query = "UPDATE " . SESSIONS_TABLE . " SET expiration = now()"; - $query .= " WHERE id = '$session_id'"; - pwg_query($query); - } else { - $query = "INSERT INTO " . SESSIONS_TABLE . " (id,data,expiration)"; - $query .= " VALUES('$session_id','$data',now())"; - pwg_query($query); + global $page, $user, $conf; + + if ($user['is_the_guest'] + or $user['has_cookie'] + or $conf['apache_authentication']) + { + return $url; } - return true; -} -function pwg_session_destroy($session_id) -{ - $query = "DELETE FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; - pwg_query($query); - return true; + if (preg_match('/\.php\?/', $url)) + { + $separator = $redirect ? '&' : '&'; + } + else + { + $separator = '?'; + } + + return $url.$separator.'id='.$page['session_id']; } -function pwg_session_gc() +// cookie_path returns the path to use for the PhpWebGallery cookie. +// If PhpWebGallery is installed on : +// http://domain.org/meeting/gallery/category.php +// cookie_path will return : "/meeting/gallery" +function cookie_path() { - global $conf; - - $query = "DELETE FROM " . SESSIONS_TABLE; - $query .= " WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > " . $conf['session_length']; - pwg_query($query); - return true; + return substr($_SERVER['PHP_SELF'],0,strrpos( $_SERVER['PHP_SELF'],'/')); } ?> diff --git a/include/page_header.php b/include/page_header.php index 6891787bd..8bf830cf5 100644 --- a/include/page_header.php +++ b/include/page_header.php @@ -61,7 +61,7 @@ if ( isset( $refresh ) and intval($refresh) >= 0 and isset( $url_link ) ) $template->assign_vars( array( 'REFRESH_TIME' => $refresh, - 'U_REFRESH' => $url_link + 'U_REFRESH' => add_session_id( $url_link ) )); $template->assign_block_vars('refresh', array()); } diff --git a/include/user.inc.php b/include/user.inc.php index 04adde9ac..8b51935a0 100644 --- a/include/user.inc.php +++ b/include/user.inc.php @@ -26,24 +26,55 @@ // +-----------------------------------------------------------------------+ // retrieving connected user informations -if (isset($_COOKIE[session_name()])) +if (isset($_COOKIE['id'])) { - session_start(); - if (isset($_SESSION['id'])) - { - $user['id'] = $_SESSION['id']; - } - else - { - // session timeout - $user['id'] = $conf['guest_id']; - $user['is_the_guest'] = true; - } -} -else + $session_id = $_COOKIE['id']; + $user['has_cookie'] = true; +} +else if (isset($_GET['id'])) +{ + $session_id = $_GET['id']; + $user['has_cookie'] = false; +} +else +{ + $user['has_cookie'] = false; +} + +if (isset($session_id) + and ereg("^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id)) +{ + $page['session_id'] = $session_id; + $query = ' +SELECT user_id,expiration,NOW() AS now + FROM '.SESSIONS_TABLE.' + WHERE id = \''.$page['session_id'].'\' +;'; + $result = pwg_query($query); + if (mysql_num_rows($result) > 0) + { + $row = mysql_fetch_array($result); + if (strnatcmp($row['expiration'], $row['now']) < 0) + { + // deletion of the session from the database, because it is + // out-of-date + $delete_query = ' +DELETE FROM '.SESSIONS_TABLE.' + WHERE id = \''.$page['session_id'].'\' +;'; + pwg_query($delete_query); + } + else + { + $user['id'] = $row['user_id']; + $user['is_the_guest'] = false; + } + } +} +if (!isset($user['id'])) { - $user['id'] = $conf['guest_id']; - $user['is_the_guest'] = true; + $user['id'] = $conf['guest_id']; + $user['is_the_guest'] = true; } // using Apache authentication override the above user search |