aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/category_calendar.inc.php11
-rw-r--r--include/category_default.inc.php2
-rw-r--r--include/category_recent_cats.inc.php2
-rw-r--r--include/category_subcats.inc.php2
-rw-r--r--include/config_default.inc.php25
-rw-r--r--include/functions_category.inc.php2
-rw-r--r--include/functions_html.inc.php20
-rw-r--r--include/functions_session.inc.php154
-rw-r--r--include/page_header.php2
-rw-r--r--include/user.inc.php63
10 files changed, 174 insertions, 109 deletions
diff --git a/include/category_calendar.inc.php b/include/category_calendar.inc.php
index fb2fffd09..a355a9339 100644
--- a/include/category_calendar.inc.php
+++ b/include/category_calendar.inc.php
@@ -67,6 +67,7 @@ foreach ($calendar_years as $calendar_year => $nb_picture_year)
{
$url = PHPWG_ROOT_PATH.'category.php?cat=calendar';
$url.= '&year='.$calendar_year;
+ $url = add_session_id($url);
$years_nav_bar.= ' <a href="'.$url.'">'.$calendar_year.'</a>';
}
}
@@ -123,7 +124,7 @@ SELECT DISTINCT(MONTH('.$conf['calendar_datefield'].')) AS month
$url = PHPWG_ROOT_PATH.'category.php?cat=calendar&amp;month=';
$url.= $page['calendar_year'].'.'.sprintf('%02s', $calendar_month);
$months_nav_bar.= ' ';
- $months_nav_bar.= '<a href="'.$url.'">';
+ $months_nav_bar.= '<a href="'.add_session_id($url).'">';
$months_nav_bar.= $lang['month'][(int)$calendar_month];
$months_nav_bar.= '</a>';
}
@@ -247,7 +248,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path
'IMAGE_ALT'=>$row['file'],
'IMAGE_TITLE'=>$thumbnail_title,
- 'U_IMG_LINK'=>$url_link
+ 'U_IMG_LINK'=>add_session_id($url_link)
)
);
@@ -307,7 +308,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path
'IMAGE_ALT'=>$row['file'],
'IMAGE_TITLE'=>$thumbnail_title,
- 'U_IMG_LINK'=>$url_link
+ 'U_IMG_LINK'=>add_session_id($url_link)
)
);
@@ -361,7 +362,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path
'IMAGE_ALT'=>$row['file'],
'IMAGE_TITLE'=>$thumbnail_title,
- 'U_IMG_LINK'=>$url_link
+ 'U_IMG_LINK'=>add_session_id($url_link)
)
);
@@ -435,7 +436,7 @@ SELECT file,tn_ext,'.$conf['calendar_datefield'].',path
'IMAGE_ALT'=>$row['file'],
'IMAGE_TITLE'=>$thumbnail_title,
- 'U_IMG_LINK'=>$url_link
+ 'U_IMG_LINK'=>add_session_id($url_link)
)
);
diff --git a/include/category_default.inc.php b/include/category_default.inc.php
index 0965b331e..d553e9e05 100644
--- a/include/category_default.inc.php
+++ b/include/category_default.inc.php
@@ -89,7 +89,7 @@ while ($row = mysql_fetch_array($result))
'IMAGE_TITLE' => $thumbnail_title,
'IMAGE_TS' => get_icon($row['date_available']),
- 'U_IMG_LINK' => $url_link
+ 'U_IMG_LINK' => add_session_id($url_link)
)
);
diff --git a/include/category_recent_cats.inc.php b/include/category_recent_cats.inc.php
index 298def21d..1b3e84f1e 100644
--- a/include/category_recent_cats.inc.php
+++ b/include/category_recent_cats.inc.php
@@ -78,7 +78,7 @@ while ( $row = mysql_fetch_array( $result ) )
'IMAGE_ALT' => $row['file'],
'IMAGE_TITLE' => $lang['hint_category'],
- 'U_IMG_LINK' => $url_link
+ 'U_IMG_LINK' => add_session_id($url_link)
)
);
diff --git a/include/category_subcats.inc.php b/include/category_subcats.inc.php
index 5f64a3a7f..8e40d8498 100644
--- a/include/category_subcats.inc.php
+++ b/include/category_subcats.inc.php
@@ -152,7 +152,7 @@ SELECT id, path, tn_ext
'IMAGE_TITLE' => $lang['hint_category'],
'IMAGE_TS' => get_icon(@$item['date_last']),
'U_IMG_LINK' =>
- PHPWG_ROOT_PATH.'category.php?cat='.$item['category']
+ add_session_id(PHPWG_ROOT_PATH.'category.php?cat='.$item['category'])
)
);
diff --git a/include/config_default.inc.php b/include/config_default.inc.php
index 96272dee6..33b9eab0b 100644
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@@ -256,21 +256,6 @@ $conf['use_exif_mapping'] = array(
// | sessions |
// +-----------------------------------------------------------------------+
-// specifies to use cookie to store the session id on client side
-$conf['session_use_cookies'] = 1;
-
-// specifies to only use cookie to store the session id on client side
-$conf['session_use_only_cookies'] = 1;
-
-// do not use transparent session id support
-$conf['session_use_trans_sid'] = 0;
-
-// specifies the name of the session which is used as cookie name
-$conf['session_name'] = 'pwg_id';
-
-// comment the line below to use file handler for sessions.
-$conf['session_save_handler'] = 'db';
-
// authorize_remembering : permits user to stay logged for a long time. It
// creates a cookie on client side.
$conf['authorize_remembering'] = true;
@@ -282,6 +267,16 @@ $conf['remember_me_length'] = 31536000;
// session_length : time of validity for normal session, in seconds.
$conf['session_length'] = 3600;
+// session_id_size : a session identifier is compound of alphanumeric
+// characters and is case sensitive. Each character is among 62
+// possibilities. The number of possible sessions is
+// 62^$conf['session_id_size'].
+//
+// 62^5 = 916,132,832
+// 62^10 = 839,299,365,868,340,224
+//
+$conf['session_id_size'] = 10;
+
// +-----------------------------------------------------------------------+
// | debug |
// +-----------------------------------------------------------------------+
diff --git a/include/functions_category.inc.php b/include/functions_category.inc.php
index 4c5f1f4be..ad118a905 100644
--- a/include/functions_category.inc.php
+++ b/include/functions_category.inc.php
@@ -47,7 +47,7 @@ function check_restrictions($category_id)
if (in_array($category_id, explode(',', $user['forbidden_categories'])))
{
echo '<div style="text-align:center;">'.$lang['access_forbiden'].'<br />';
- echo '<a href="./category.php">';
+ echo '<a href="'.add_session_id( './category.php' ).'">';
echo $lang['thumbnails'].'</a></div>';
exit();
}
diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php
index a2c45b7ef..50a999854 100644
--- a/include/functions_html.inc.php
+++ b/include/functions_html.inc.php
@@ -82,7 +82,7 @@ function create_navigation_bar($url, $nb_element, $start,
if ($cur_page != 1)
{
$navbar.= '<a href="';
- $navbar.= $url.'&amp;start=0';
+ $navbar.= add_session_id($url.'&amp;start=0');
$navbar.= '" class="'.$link_class.'">'.$lang['first_page'];
$navbar.= '</a>';
}
@@ -96,7 +96,7 @@ function create_navigation_bar($url, $nb_element, $start,
{
$previous = $start - $nb_element_page;
$navbar.= '<a href="';
- $navbar.= $url.'&amp;start='.$previous;
+ $navbar.= add_session_id( $url.'&amp;start='.$previous );
$navbar.= '" class="'.$link_class.'">'.$lang['previous_page'];
$navbar.= '</a>';
}
@@ -109,7 +109,7 @@ function create_navigation_bar($url, $nb_element, $start,
if ($cur_page > $pages_around + 1)
{
$navbar.= '&nbsp;<a href="';
- $navbar.= $url.'&amp;start=0';
+ $navbar.= add_session_id($url.'&amp;start=0');
$navbar.= '" class="'.$link_class.'">1</a>';
if ($cur_page > $pages_around + 2)
{
@@ -130,7 +130,7 @@ function create_navigation_bar($url, $nb_element, $start,
{
$temp_start = ($i - 1) * $nb_element_page;
$navbar.= '&nbsp;<a href="';
- $navbar.= $url.'&amp;start='.$temp_start;
+ $navbar.= add_session_id($url.'&amp;start='.$temp_start);
$navbar.= '" class="'.$link_class.'">'.$i.'</a>';
}
else
@@ -148,7 +148,7 @@ function create_navigation_bar($url, $nb_element, $start,
$navbar.= ' ...';
}
$navbar.= ' <a href="';
- $navbar.= $url.'&amp;start='.$temp_start;
+ $navbar.= add_session_id($url.'&amp;start='.$temp_start);
$navbar.= '" class="'.$link_class.'">'.$maximum.'</a>';
}
@@ -159,7 +159,7 @@ function create_navigation_bar($url, $nb_element, $start,
{
$next = $start + $nb_element_page;
$navbar.= '<a href="';
- $navbar.= $url.'&amp;start='.$next;
+ $navbar.= add_session_id( $url.'&amp;start='.$next );
$navbar.= '" class="'.$link_class.'">'.$lang['next_page'].'</a>';
}
else
@@ -173,7 +173,7 @@ function create_navigation_bar($url, $nb_element, $start,
{
$temp_start = ($maximum - 1) * $nb_element_page;
$navbar.= '<a href="';
- $navbar.= $url.'&amp;start='.$temp_start;
+ $navbar.= add_session_id($url.'&amp;start='.$temp_start);
$navbar.= '" class="'.$link_class.'">'.$lang['last_page'];
$navbar.= '</a>';
}
@@ -242,7 +242,7 @@ function get_cat_display_name($cat_informations,
else
{
$output.= '<a class=""';
- $output.= ' href="'.PHPWG_ROOT_PATH.$url.$id.'">';
+ $output.= ' href="'.add_session_id(PHPWG_ROOT_PATH.$url.$id).'">';
$output.= $name.'</a>';
}
}
@@ -311,7 +311,7 @@ SELECT id,name
{
$output.= '
<a class=""
- href="'.PHPWG_ROOT_PATH.$url.$category_id.'">'.$name.'</a>';
+ href="'.add_session_id(PHPWG_ROOT_PATH.$url.$category_id).'">'.$name.'</a>';
}
}
if ($replace_space)
@@ -370,7 +370,7 @@ function get_html_menu_category($categories)
}
$menu.= '>';
- $url = PHPWG_ROOT_PATH.'category.php?cat='.$category['id'];
+ $url = add_session_id(PHPWG_ROOT_PATH.'category.php?cat='.$category['id']);
$menu.= "\n".'<a href="'.$url.'">'.$category['name'].'</a>';
if ($category['nb_images'] > 0)
diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php
index 98a85c876..8a3bb911c 100644
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -25,77 +25,115 @@
// | USA. |
// +-----------------------------------------------------------------------+
-if (isset($conf['session_save_handler']) and ($conf['session_save_handler'] == 'db')) {
- session_set_save_handler('pwg_session_open',
- 'pwg_session_close',
- 'pwg_session_read',
- 'pwg_session_write',
- 'pwg_session_destroy',
- 'pwg_session_gc'
- );
-}
-
-ini_set('session.use_cookies', $conf['session_use_cookies']);
-ini_set('session.use_only_cookies', $conf['session_use_only_cookies']);
-ini_set('session.use_trans_sid', $conf['session_use_trans_sid']);
-ini_set('session.name', $conf['session_name']);
-
-function pwg_session_open($path, $name)
+// The function generate_key creates a string with pseudo random characters.
+// the size of the string depends on the $conf['session_id_size'].
+// Characters used are a-z A-Z and numerical values. Examples :
+// "Er4Tgh6", "Rrp08P", "54gj"
+// input : none (using global variable)
+// output : $key
+function generate_key($size)
{
- return true;
-}
+ global $conf;
-function pwg_session_close()
-{
- pwg_session_gc();
- return true;
+ $md5 = md5(substr(microtime(), 2, 6));
+ $init = '';
+ for ( $i = 0; $i < strlen( $md5 ); $i++ )
+ {
+ if ( is_numeric( $md5[$i] ) ) $init.= $md5[$i];
+ }
+ $init = substr( $init, 0, 8 );
+ mt_srand( $init );
+ $key = '';
+ for ( $i = 0; $i < $size; $i++ )
+ {
+ $c = mt_rand( 0, 2 );
+ if ( $c == 0 ) $key .= chr( mt_rand( 65, 90 ) );
+ else if ( $c == 1 ) $key .= chr( mt_rand( 97, 122 ) );
+ else $key .= mt_rand( 0, 9 );
+ }
+ return $key;
}
-function pwg_session_read($session_id)
+/**
+ * create a new session and returns the session identifier
+ *
+ * - find a non-already-used session key
+ * - create a session in database
+ * - return session identifier
+ *
+ * @param int userid
+ * @param int session_lentgh : in seconds
+ * @return string
+ */
+function session_create($userid, $session_length)
{
- $query = "SELECT data FROM " . SESSIONS_TABLE;
- $query .= " WHERE id = '$session_id'";
- $result = pwg_query($query);
- if ($result) {
- $row = mysql_fetch_assoc($result);
- return $row['data'];
- } else {
- return '';
+ global $conf;
+
+ // 1. searching an unused session key
+ $id_found = false;
+ while (!$id_found)
+ {
+ $generated_id = generate_key($conf['session_id_size']);
+ $query = '
+SELECT id
+ FROM '.SESSIONS_TABLE.'
+ WHERE id = \''.$generated_id.'\'
+;';
+ $result = pwg_query($query);
+ if (mysql_num_rows($result) == 0)
+ {
+ $id_found = true;
+ }
}
+ // 3. inserting session in database
+ $query = '
+INSERT INTO '.SESSIONS_TABLE.'
+ (id,user_id,expiration)
+ VALUES
+ (\''.$generated_id.'\','.$userid.',
+ ADDDATE(NOW(), INTERVAL '.$session_length.' SECOND))
+;';
+ pwg_query($query);
+
+ $expiration = $session_length + time();
+ setcookie('id', $generated_id, $expiration, cookie_path());
+
+ return $generated_id;
}
-function pwg_session_write($session_id, $data)
+// add_session_id adds the id of the session to the string given in
+// parameter as $url. If the session id is the first parameter to the url,
+// it is preceded by a '?', else it is preceded by a '&amp;'. If the
+// parameter $redirect is set to true, '&' is used instead of '&'.
+function add_session_id( $url, $redirect = false )
{
- $query = "SELECT id FROM " . SESSIONS_TABLE;
- $query .= " WHERE id = '$session_id'";
- $result = pwg_query($query);
- if (mysql_num_rows($result)) {
- $query = "UPDATE " . SESSIONS_TABLE . " SET expiration = now()";
- $query .= " WHERE id = '$session_id'";
- pwg_query($query);
- } else {
- $query = "INSERT INTO " . SESSIONS_TABLE . " (id,data,expiration)";
- $query .= " VALUES('$session_id','$data',now())";
- pwg_query($query);
+ global $page, $user, $conf;
+
+ if ($user['is_the_guest']
+ or $user['has_cookie']
+ or $conf['apache_authentication'])
+ {
+ return $url;
}
- return true;
-}
-function pwg_session_destroy($session_id)
-{
- $query = "DELETE FROM " . SESSIONS_TABLE;
- $query .= " WHERE id = '$session_id'";
- pwg_query($query);
- return true;
+ if (preg_match('/\.php\?/', $url))
+ {
+ $separator = $redirect ? '&' : '&amp;';
+ }
+ else
+ {
+ $separator = '?';
+ }
+
+ return $url.$separator.'id='.$page['session_id'];
}
-function pwg_session_gc()
+// cookie_path returns the path to use for the PhpWebGallery cookie.
+// If PhpWebGallery is installed on :
+// http://domain.org/meeting/gallery/category.php
+// cookie_path will return : "/meeting/gallery"
+function cookie_path()
{
- global $conf;
-
- $query = "DELETE FROM " . SESSIONS_TABLE;
- $query .= " WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(expiration) > " . $conf['session_length'];
- pwg_query($query);
- return true;
+ return substr($_SERVER['PHP_SELF'],0,strrpos( $_SERVER['PHP_SELF'],'/'));
}
?>
diff --git a/include/page_header.php b/include/page_header.php
index 6891787bd..8bf830cf5 100644
--- a/include/page_header.php
+++ b/include/page_header.php
@@ -61,7 +61,7 @@ if ( isset( $refresh ) and intval($refresh) >= 0 and isset( $url_link ) )
$template->assign_vars(
array(
'REFRESH_TIME' => $refresh,
- 'U_REFRESH' => $url_link
+ 'U_REFRESH' => add_session_id( $url_link )
));
$template->assign_block_vars('refresh', array());
}
diff --git a/include/user.inc.php b/include/user.inc.php
index 04adde9ac..8b51935a0 100644
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -26,24 +26,55 @@
// +-----------------------------------------------------------------------+
// retrieving connected user informations
-if (isset($_COOKIE[session_name()]))
+if (isset($_COOKIE['id']))
{
- session_start();
- if (isset($_SESSION['id']))
- {
- $user['id'] = $_SESSION['id'];
- }
- else
- {
- // session timeout
- $user['id'] = $conf['guest_id'];
- $user['is_the_guest'] = true;
- }
-}
-else
+ $session_id = $_COOKIE['id'];
+ $user['has_cookie'] = true;
+}
+else if (isset($_GET['id']))
+{
+ $session_id = $_GET['id'];
+ $user['has_cookie'] = false;
+}
+else
+{
+ $user['has_cookie'] = false;
+}
+
+if (isset($session_id)
+ and ereg("^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id))
+{
+ $page['session_id'] = $session_id;
+ $query = '
+SELECT user_id,expiration,NOW() AS now
+ FROM '.SESSIONS_TABLE.'
+ WHERE id = \''.$page['session_id'].'\'
+;';
+ $result = pwg_query($query);
+ if (mysql_num_rows($result) > 0)
+ {
+ $row = mysql_fetch_array($result);
+ if (strnatcmp($row['expiration'], $row['now']) < 0)
+ {
+ // deletion of the session from the database, because it is
+ // out-of-date
+ $delete_query = '
+DELETE FROM '.SESSIONS_TABLE.'
+ WHERE id = \''.$page['session_id'].'\'
+;';
+ pwg_query($delete_query);
+ }
+ else
+ {
+ $user['id'] = $row['user_id'];
+ $user['is_the_guest'] = false;
+ }
+ }
+}
+if (!isset($user['id']))
{
- $user['id'] = $conf['guest_id'];
- $user['is_the_guest'] = true;
+ $user['id'] = $conf['guest_id'];
+ $user['is_the_guest'] = true;
}
// using Apache authentication override the above user search
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 00:20:07 +0000