Skip to content
Snippets Groups Projects
Commit 2b414f75 authored by Carsten Rose's avatar Carsten Rose
Browse files

Bug #5668 / Broken SIP after login. 

Session.php: After setting the QFQ cookie lifetime AND calling setcookie() after session_start(), the QFQ session remains. Also, skipping Session::clearAll() protects against broken SIP after logout!
parent a7ad3714
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
extension/qfq/qfq/store/Session.php
+ 14
3
View file @ 2b414f75
...@@ -23,23 +23,31 @@ class Session { ...@@ -23,23 +23,31 @@ class Session {
* @throws CodeException * @throws CodeException
*/ */
private function __construct($phpUnit = false) { private function __construct($phpUnit = false) {
if (self::$phpUnit !== null) { if (self::$phpUnit !== null) {
throw new CodeException("Try to set flag phpunit again - that should not happen.", ERROR_CODE_SHOULD_NOT_HAPPEN); throw new CodeException("Try to set flag phpunit again - that should not happen.", ERROR_CODE_SHOULD_NOT_HAPPEN);
} }
self::$phpUnit = $phpUnit; self::$phpUnit = $phpUnit;
if (self::$phpUnit === true) { if (self::$phpUnit === true) {
self::$sessionLocal = array(); self::$sessionLocal = array();
} else { } else {
ini_set('session.cookie_httponly', 1); ini_set('session.cookie_httponly', 1);
$lifetime = 86400; // one day
$path = $this->getSitePath(); $path = $this->getSitePath();
session_set_cookie_params(0, $path); session_set_cookie_params($lifetime, $path);
$currentCookieParams = session_get_cookie_params();
session_name(SESSION_NAME); session_name(SESSION_NAME);
session_start(); session_start();
// Currently, setcookie() is only called to really extend the lifetime. All other parameter needs to be given again.
setcookie(SESSION_NAME, session_id(), time() + $lifetime, $path, $currentCookieParams['domain'], $currentCookieParams['secure'], true);
self::$sessionId = session_id(); self::$sessionId = session_id();
} }
...@@ -62,6 +70,7 @@ class Session { ...@@ -62,6 +70,7 @@ class Session {
$path = $_SERVER['SCRIPT_NAME']; $path = $_SERVER['SCRIPT_NAME'];
$pos = strrpos($path, '/'); $pos = strrpos($path, '/');
if ($pos === false) { if ($pos === false) {
throw new CodeException("Broken _SERVER[SCRIPT_NAME]: $path", ERROR_SESSION_BROKEN_SCRIPT_PATH); throw new CodeException("Broken _SERVER[SCRIPT_NAME]: $path", ERROR_SESSION_BROKEN_SCRIPT_PATH);
} }
...@@ -97,6 +106,7 @@ class Session { ...@@ -97,6 +106,7 @@ class Session {
* Destroy a session - this is only needed in case of attacks * Destroy a session - this is only needed in case of attacks
*/ */
public static function destroy() { public static function destroy() {
session_destroy(); session_destroy();
$_SESSION = array(); $_SESSION = array();
...@@ -116,6 +126,7 @@ class Session { ...@@ -116,6 +126,7 @@ class Session {
* *
*/ */
public static function open() { public static function open() {
if (self::$sessionOpen != true && self::$sessionId != null) { if (self::$sessionOpen != true && self::$sessionId != null) {
session_id(self::$sessionId); session_id(self::$sessionId);
session_start(); session_start();
...@@ -148,9 +159,9 @@ class Session { ...@@ -148,9 +159,9 @@ class Session {
$feUidLoggedIn = $feUserUidSession; $feUidLoggedIn = $feUserUidSession;
} }
if ($feUidLoggedIn !== $feUserUidSession) { if ($feUidLoggedIn != $feUserUidSession) {
// destroy existing session store // destroy existing session store
Session::clearAll(); // Session::clearAll(); // #5668 / Broken SIP after login - is it really a security improvement to destroy the SIP store in case the feUser changes? Probably not.
// save new feUserUid, feUserName // save new feUserUid, feUserName
Session::set(SESSION_FE_USER_UID, $feUidLoggedIn); Session::set(SESSION_FE_USER_UID, $feUidLoggedIn);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment