aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--include/config.inc.php2
-rw-r--r--include/functions_session.inc.php46
-rw-r--r--include/user.inc.php53
3 files changed, 68 insertions, 33 deletions
diff --git a/include/config.inc.php b/include/config.inc.php
index 07b3bfb14..ae54d5616 100644
--- a/include/config.inc.php
+++ b/include/config.inc.php
@@ -62,7 +62,7 @@ $infos = array( 'prefix_thumbnail', 'webmaster', 'mail_webmaster', 'access',
'upload_available', 'upload_maxfilesize', 'upload_maxwidth',
'upload_maxheight', 'upload_maxwidth_thumbnail',
'upload_maxheight_thumbnail','log','comments_validation',
- 'comments_forall' );
+ 'comments_forall','authorize_cookies' );
$query = 'SELECT ';
foreach ( $infos as $i => $info ) {
diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php
index 6109456cc..34032b572 100644
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -14,17 +14,22 @@
* the Free Software Foundation; *
* *
***************************************************************************/
+
+// The function generate_key creates a string with pseudo random characters.
+// the size of the string depends on the $conf['session_id_size'].
+// Characters used are a-z A-Z and numerical values. Examples :
+// "Er4Tgh6", "Rrp08P", "54gj"
+// input : none (using global variable)
+// output : $key
function generate_key()
{
global $conf;
+
$md5 = md5( substr( microtime(), 2, 6 ).$conf['session_keyword'] );
$init = '';
for ( $i = 0; $i < strlen( $md5 ); $i++ )
{
- if ( is_numeric( $md5[$i] ) )
- {
- $init.= $md5[$i];
- }
+ if ( is_numeric( $md5[$i] ) ) $init.= $md5[$i];
}
$init = substr( $init, 0, 8 );
mt_srand( $init );
@@ -32,26 +37,19 @@ function generate_key()
for ( $i = 0; $i < $conf['session_id_size']; $i++ )
{
$c = mt_rand( 0, 2 );
- if ( $c == 0 )
- {
- $key .= chr( mt_rand( 65, 90 ) );
- }
- else if ( $c == 1 )
- {
- $key .= chr( mt_rand( 97, 122 ) );
- }
- else
- {
- $key .= mt_rand( 0, 9 );
- }
+ if ( $c == 0 ) $key .= chr( mt_rand( 65, 90 ) );
+ else if ( $c == 1 ) $key .= chr( mt_rand( 97, 122 ) );
+ else $key .= mt_rand( 0, 9 );
}
return $key;
}
-
+
+// The function create_session finds a non-already-used session key and
+// returns it once found for the given user.
function session_create( $username )
{
global $conf;
- // 1. searching an unused sesison key
+ // 1. searching an unused session key
$id_found = false;
while ( !$id_found )
{
@@ -89,6 +87,9 @@ function session_create( $username )
function add_session_id( $url, $redirect = false )
{
global $page, $user;
+
+ if ( $user['has_cookie'] ) return $url;
+
$amp = '&amp;';
if ( $redirect )
{
@@ -110,4 +111,13 @@ function add_session_id( $url, $redirect = false )
return $url;
}
}
+
+// cookie_path returns the path to use for the PhpWebGallery cookie.
+// If PhpWebGallery is installed on :
+// http://domain.org/meeting/gallery/category.php
+// cookie_path will return : "/meeting/gallery"
+function cookie_path()
+{
+ return substr($_SERVER['PHP_SELF'],0,strrpos( $_SERVER['PHP_SELF'],'/'));
+}
?> \ No newline at end of file
diff --git a/include/user.inc.php b/include/user.inc.php
index f950b3a1e..a90e8983d 100644
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -32,35 +32,60 @@ foreach ( $infos as $i => $info ) {
$query_user.= ' FROM '.PREFIX_TABLE.'users';
$query_done = false;
$user['is_the_guest'] = false;
-if ( isset( $_GET['id'] )
- && ereg( "^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $_GET['id'] ) )
+
+// cookie deletion if administrator don't authorize them anymore
+if ( !$conf['authorize_cookies'] and isset( $_COOKIE['id'] ) )
+{
+ setcookie( 'id', '', 0, cookie_path() );
+ $url = 'category.php';
+ header( 'Request-URI: '.$url );
+ header( 'Content-Location: '.$url );
+ header( 'Location: '.$url );
+ exit();
+}
+
+$user['has_cookie'] = false;
+if ( isset( $_GET['id'] ) ) $session_id = $_GET['id'];
+elseif ( isset( $_COOKIE['id'] ) )
{
- $page['session_id'] = $_GET['id'];
+ $session_id = $_COOKIE['id'];
+ $user['has_cookie'] = true;
+}
+
+if ( isset( $session_id )
+ and ereg( "^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id ) )
+{
+ $page['session_id'] = $session_id;
$query = 'SELECT user_id,expiration,ip';
$query.= ' FROM '.PREFIX_TABLE.'sessions';
- $query.= " WHERE id = '".$_GET['id']."'";
+ $query.= " WHERE id = '".$page['session_id']."'";
$query.= ';';
$result = mysql_query( $query );
if ( mysql_num_rows( $result ) > 0 )
{
$row = mysql_fetch_array( $result );
- if ( $row['expiration'] < time() )
- {
- // deletion of the session from the database,
- // because it is out-of-date
- $delete_query = 'DELETE FROM '.PREFIX_TABLE.'sessions';
- $delete_query.= " WHERE id = '".$page['session_id']."'";
- $delete_query.= ';';
- mysql_query( $delete_query );
- }
- else
+ if ( !$user['has_cookie'] )
{
+ if ( $row['expiration'] < time() )
+ {
+ // deletion of the session from the database,
+ // because it is out-of-date
+ $delete_query = 'DELETE FROM '.PREFIX_TABLE.'sessions';
+ $delete_query.= " WHERE id = '".$page['session_id']."'";
+ $delete_query.= ';';
+ mysql_query( $delete_query );
+ }
if ( $_SERVER['REMOTE_ADDR'] == $row['ip'] )
{
$query_user .= ' WHERE id = '.$row['user_id'];
$query_done = true;
}
}
+ else
+ {
+ $query_user .= ' WHERE id = '.$row['user_id'];
+ $query_done = true;
+ }
}
}
if ( !$query_done )