diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2015-09-03 23:12:58 +0200 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2015-09-06 16:14:24 +0200 |
| commit | 68bc21353a6138a898724c8bb87684bb2b6b2c1c (patch) | |
| tree | 8c100e6ca4cba5870640cf3e0ec688b1f0fa7474 /index.php | |
| parent | a02257b8aed58ef2f8536c877ce2fb222f84ac40 (diff) | |
| download | Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.gz Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.zst Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.zip | |
Session ID: extend the regex to match possible hash representations
Improves #306
Relates to #335 & #336
Duplicated by #339
Issues:
- PHP regenerates the session ID if it is not compliant
- the regex checking the session ID does not cover all cases
- different algorithms: md5, sha1, sha256, etc.
- bit representations: 4, 5, 6
Fix:
- `index.php`:
- remove `uniqid()` usage
- call `session_regenerate_id()` if an invalid cookie is detected
- regex: support all possible characters - '[a-zA-Z,-]{2,128}'
- tests: add coverage for all algorithms & bit representations
See:
- http://php.net/manual/en/session.configuration.php#ini.session.hash-function
- https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character
- http://php.net/manual/en/function.session-id.php
- http://php.net/manual/en/function.session-regenerate-id.php
- http://php.net/manual/en/function.hash-algos.php
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'index.php')
| -rwxr-xr-x | index.php | 10 |
1 files changed, 6 insertions, 4 deletions
| @@ -92,16 +92,18 @@ ini_set('session.use_only_cookies', 1); | |||
| 92 | // Prevent PHP form using sessionID in URL if cookies are disabled. | 92 | // Prevent PHP form using sessionID in URL if cookies are disabled. |
| 93 | ini_set('session.use_trans_sid', false); | 93 | ini_set('session.use_trans_sid', false); |
| 94 | 94 | ||
| 95 | // Regenerate session id if invalid or not defined in cookie. | ||
| 96 | if (isset($_COOKIE['shaarli']) && !is_session_id_valid($_COOKIE['shaarli'])) { | ||
| 97 | $_COOKIE['shaarli'] = uniqid(); | ||
| 98 | } | ||
| 99 | session_name('shaarli'); | 95 | session_name('shaarli'); |
| 100 | // Start session if needed (Some server auto-start sessions). | 96 | // Start session if needed (Some server auto-start sessions). |
| 101 | if (session_id() == '') { | 97 | if (session_id() == '') { |
| 102 | session_start(); | 98 | session_start(); |
| 103 | } | 99 | } |
| 104 | 100 | ||
| 101 | // Regenerate session ID if invalid or not defined in cookie. | ||
| 102 | if (isset($_COOKIE['shaarli']) && !is_session_id_valid($_COOKIE['shaarli'])) { | ||
| 103 | session_regenerate_id(true); | ||
| 104 | $_COOKIE['shaarli'] = session_id(); | ||
| 105 | } | ||
| 106 | |||
| 105 | include "inc/rain.tpl.class.php"; //include Rain TPL | 107 | include "inc/rain.tpl.class.php"; //include Rain TPL |
| 106 | raintpl::$tpl_dir = $GLOBALS['config']['RAINTPL_TPL']; // template directory | 108 | raintpl::$tpl_dir = $GLOBALS['config']['RAINTPL_TPL']; // template directory |
| 107 | raintpl::$cache_dir = $GLOBALS['config']['RAINTPL_TMP']; // cache directory | 109 | raintpl::$cache_dir = $GLOBALS['config']['RAINTPL_TMP']; // cache directory |