diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/config.inc.php | 2 | ||||
-rw-r--r-- | include/functions_session.inc.php | 46 | ||||
-rw-r--r-- | include/user.inc.php | 53 |
3 files changed, 68 insertions, 33 deletions
diff --git a/include/config.inc.php b/include/config.inc.php index 07b3bfb14..ae54d5616 100644 --- a/include/config.inc.php +++ b/include/config.inc.php @@ -62,7 +62,7 @@ $infos = array( 'prefix_thumbnail', 'webmaster', 'mail_webmaster', 'access', 'upload_available', 'upload_maxfilesize', 'upload_maxwidth', 'upload_maxheight', 'upload_maxwidth_thumbnail', 'upload_maxheight_thumbnail','log','comments_validation', - 'comments_forall' ); + 'comments_forall','authorize_cookies' ); $query = 'SELECT '; foreach ( $infos as $i => $info ) { diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index 6109456cc..34032b572 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -14,17 +14,22 @@ * the Free Software Foundation; * * * ***************************************************************************/ + +// The function generate_key creates a string with pseudo random characters. +// the size of the string depends on the $conf['session_id_size']. +// Characters used are a-z A-Z and numerical values. Examples : +// "Er4Tgh6", "Rrp08P", "54gj" +// input : none (using global variable) +// output : $key function generate_key() { global $conf; + $md5 = md5( substr( microtime(), 2, 6 ).$conf['session_keyword'] ); $init = ''; for ( $i = 0; $i < strlen( $md5 ); $i++ ) { - if ( is_numeric( $md5[$i] ) ) - { - $init.= $md5[$i]; - } + if ( is_numeric( $md5[$i] ) ) $init.= $md5[$i]; } $init = substr( $init, 0, 8 ); mt_srand( $init ); @@ -32,26 +37,19 @@ function generate_key() for ( $i = 0; $i < $conf['session_id_size']; $i++ ) { $c = mt_rand( 0, 2 ); - if ( $c == 0 ) - { - $key .= chr( mt_rand( 65, 90 ) ); - } - else if ( $c == 1 ) - { - $key .= chr( mt_rand( 97, 122 ) ); - } - else - { - $key .= mt_rand( 0, 9 ); - } + if ( $c == 0 ) $key .= chr( mt_rand( 65, 90 ) ); + else if ( $c == 1 ) $key .= chr( mt_rand( 97, 122 ) ); + else $key .= mt_rand( 0, 9 ); } return $key; } - + +// The function create_session finds a non-already-used session key and +// returns it once found for the given user. function session_create( $username ) { global $conf; - // 1. searching an unused sesison key + // 1. searching an unused session key $id_found = false; while ( !$id_found ) { @@ -89,6 +87,9 @@ function session_create( $username ) function add_session_id( $url, $redirect = false ) { global $page, $user; + + if ( $user['has_cookie'] ) return $url; + $amp = '&'; if ( $redirect ) { @@ -110,4 +111,13 @@ function add_session_id( $url, $redirect = false ) return $url; } } + +// cookie_path returns the path to use for the PhpWebGallery cookie. +// If PhpWebGallery is installed on : +// http://domain.org/meeting/gallery/category.php +// cookie_path will return : "/meeting/gallery" +function cookie_path() +{ + return substr($_SERVER['PHP_SELF'],0,strrpos( $_SERVER['PHP_SELF'],'/')); +} ?>
\ No newline at end of file diff --git a/include/user.inc.php b/include/user.inc.php index f950b3a1e..a90e8983d 100644 --- a/include/user.inc.php +++ b/include/user.inc.php @@ -32,35 +32,60 @@ foreach ( $infos as $i => $info ) { $query_user.= ' FROM '.PREFIX_TABLE.'users'; $query_done = false; $user['is_the_guest'] = false; -if ( isset( $_GET['id'] ) - && ereg( "^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $_GET['id'] ) ) + +// cookie deletion if administrator don't authorize them anymore +if ( !$conf['authorize_cookies'] and isset( $_COOKIE['id'] ) ) +{ + setcookie( 'id', '', 0, cookie_path() ); + $url = 'category.php'; + header( 'Request-URI: '.$url ); + header( 'Content-Location: '.$url ); + header( 'Location: '.$url ); + exit(); +} + +$user['has_cookie'] = false; +if ( isset( $_GET['id'] ) ) $session_id = $_GET['id']; +elseif ( isset( $_COOKIE['id'] ) ) { - $page['session_id'] = $_GET['id']; + $session_id = $_COOKIE['id']; + $user['has_cookie'] = true; +} + +if ( isset( $session_id ) + and ereg( "^[0-9a-zA-Z]{".$conf['session_id_size']."}$", $session_id ) ) +{ + $page['session_id'] = $session_id; $query = 'SELECT user_id,expiration,ip'; $query.= ' FROM '.PREFIX_TABLE.'sessions'; - $query.= " WHERE id = '".$_GET['id']."'"; + $query.= " WHERE id = '".$page['session_id']."'"; $query.= ';'; $result = mysql_query( $query ); if ( mysql_num_rows( $result ) > 0 ) { $row = mysql_fetch_array( $result ); - if ( $row['expiration'] < time() ) - { - // deletion of the session from the database, - // because it is out-of-date - $delete_query = 'DELETE FROM '.PREFIX_TABLE.'sessions'; - $delete_query.= " WHERE id = '".$page['session_id']."'"; - $delete_query.= ';'; - mysql_query( $delete_query ); - } - else + if ( !$user['has_cookie'] ) { + if ( $row['expiration'] < time() ) + { + // deletion of the session from the database, + // because it is out-of-date + $delete_query = 'DELETE FROM '.PREFIX_TABLE.'sessions'; + $delete_query.= " WHERE id = '".$page['session_id']."'"; + $delete_query.= ';'; + mysql_query( $delete_query ); + } if ( $_SERVER['REMOTE_ADDR'] == $row['ip'] ) { $query_user .= ' WHERE id = '.$row['user_id']; $query_done = true; } } + else + { + $query_user .= ' WHERE id = '.$row['user_id']; + $query_done = true; + } } } if ( !$query_done ) |