diff options
author | nikrou <nikrou@piwigo.org> | 2006-01-18 15:16:30 +0000 |
---|---|---|
committer | nikrou <nikrou@piwigo.org> | 2006-01-18 15:16:30 +0000 |
commit | 9410522e9f7d077bb4830158b6f01276a55276b3 (patch) | |
tree | 71350bab981b46a242669dd83543bae5ab08f28d /include | |
parent | 9e1fabeaf7b27d0b03227965dce2f9214b3ac655 (diff) |
bug fix 261: improve security of sessions (next to svn:1004):
- improve presentation code style
- add upgrade database file
git-svn-id: http://piwigo.org/svn/trunk@1007 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
-rw-r--r-- | include/config_default.inc.php | 19 | ||||
-rw-r--r-- | include/functions_session.inc.php | 82 |
2 files changed, 65 insertions, 36 deletions
diff --git a/include/config_default.inc.php b/include/config_default.inc.php index 31362a463..52fed3acc 100644 --- a/include/config_default.inc.php +++ b/include/config_default.inc.php @@ -264,19 +264,22 @@ $conf['use_exif_mapping'] = array( // | sessions | // +-----------------------------------------------------------------------+ -// specifies to use cookie to store the session id on client side -$conf['session_use_cookies'] = 1; +// session_use_cookies: specifies to use cookie to store +// the session id on client side +$conf['session_use_cookies'] = true; -// specifies to only use cookie to store the session id on client side -$conf['session_use_only_cookies'] = 1; +// session_use_only_cookies: specifies to only use cookie to store +// the session id on client side +$conf['session_use_only_cookies'] = true; -// do not use transparent session id support -$conf['session_use_trans_sid'] = 0; +// session_use_trans_sid: do not use transparent session id support +$conf['session_use_trans_sid'] = false; -// specifies the name of the session which is used as cookie name +// session_name: specifies the name of the session which is used as cookie name $conf['session_name'] = 'pwg_id'; -// comment the line below to use file handler for sessions. +// session_save_handler: comment the line below +// to use file handler for sessions. $conf['session_save_handler'] = 'db'; // authorize_remembering : permits user to stay logged for a long time. It diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index 98a85c876..bc3bb12ca 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -25,20 +25,33 @@ // | USA. | // +-----------------------------------------------------------------------+ -if (isset($conf['session_save_handler']) and ($conf['session_save_handler'] == 'db')) { +if (isset($conf['session_save_handler']) + and ($conf['session_save_handler'] == 'db')) +{ session_set_save_handler('pwg_session_open', - 'pwg_session_close', - 'pwg_session_read', - 'pwg_session_write', - 'pwg_session_destroy', - 'pwg_session_gc' - ); + 'pwg_session_close', + 'pwg_session_read', + 'pwg_session_write', + 'pwg_session_destroy', + 'pwg_session_gc' + ); +} +if (isset($conf['session_use_cookies'])) +{ + ini_set('session.use_cookies', $conf['session_use_cookies']); +} +if (isset($conf['session_use_only_cookies'])) +{ + ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); +} +if (isset($conf['session_use_trans_sid'])) +{ + ini_set('session.use_trans_sid', intval($conf['session_use_trans_sid'])); +} +if (isset($conf['session_name'])) +{ + ini_set('session.name', $conf['session_name']); } - -ini_set('session.use_cookies', $conf['session_use_cookies']); -ini_set('session.use_only_cookies', $conf['session_use_only_cookies']); -ini_set('session.use_trans_sid', $conf['session_use_trans_sid']); -ini_set('session.name', $conf['session_name']); function pwg_session_open($path, $name) { @@ -53,29 +66,39 @@ function pwg_session_close() function pwg_session_read($session_id) { - $query = "SELECT data FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; + $query = ' +SELECT data FROM '.SESSIONS_TABLE.' + WHERE id = \''.$session_id.'\''; $result = pwg_query($query); - if ($result) { + if ($result) + { $row = mysql_fetch_assoc($result); return $row['data']; - } else { + } + else + { return ''; } } function pwg_session_write($session_id, $data) { - $query = "SELECT id FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; + $query = ' +SELECT id FROM '.SESSIONS_TABLE.' + WHERE id = \''.$session_id.'\''; $result = pwg_query($query); - if (mysql_num_rows($result)) { - $query = "UPDATE " . SESSIONS_TABLE . " SET expiration = now()"; - $query .= " WHERE id = '$session_id'"; + if (mysql_num_rows($result)) + { + $query = ' +UPDATE '.SESSIONS_TABLE.' SET expiration = now() + WHERE id = \''.$session_id.'\''; pwg_query($query); - } else { - $query = "INSERT INTO " . SESSIONS_TABLE . " (id,data,expiration)"; - $query .= " VALUES('$session_id','$data',now())"; + } + else + { + $query = ' +INSERT INTO '.SESSIONS_TABLE.'(id,data,expiration) + VALUES(\''.$session_id.'\',\''.$data.'\',now())'; pwg_query($query); } return true; @@ -83,8 +106,9 @@ function pwg_session_write($session_id, $data) function pwg_session_destroy($session_id) { - $query = "DELETE FROM " . SESSIONS_TABLE; - $query .= " WHERE id = '$session_id'"; + $query = ' +DELETE FROM '.SESSIONS_TABLE.' + WHERE id = '.$session_id; pwg_query($query); return true; } @@ -93,8 +117,10 @@ function pwg_session_gc() { global $conf; - $query = "DELETE FROM " . SESSIONS_TABLE; - $query .= " WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > " . $conf['session_length']; + $query = ' +DELETE FROM '.SESSIONS_TABLE.' + WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > ' + .$conf['session_length']; pwg_query($query); return true; } |