Merge pull request #6248 from marc1706/ticket/16207

[ticket/16207] Require cookies for sessions

phpBB/phpbb/controller/helper.php

@@ -307,7 +307,7 @@ class helper
 				'TRANSLATION_INFO'		=> $this->language->is_set('TRANSLATION_INFO') ? $this->language->lang('TRANSLATION_INFO') : '',
 				'CREDIT_LINE'			=> $this->language->lang('POWERED_BY', '<a href="https://www.phpbb.com/">phpBB</a>&reg; Forum Software &copy; phpBB Limited'),
 
-				'U_ACP'					=> ($this->auth->acl_get('a_') && !empty($this->user->data['is_registered'])) ? append_sid("{$this->admin_path}index.{$this->php_ext}", false, true, $this->user->session_id) : '',
+				'U_ACP'					=> ($this->auth->acl_get('a_') && !empty($this->user->data['is_registered'])) ? append_sid("{$this->admin_path}index.{$this->php_ext}") : '',
 		]);
 
 		if ($run_cron)

phpBB/phpbb/di/extension/container_configuration.php

@@ -62,6 +62,7 @@ class container_configuration implements ConfigurationInterface
 				->arrayNode('session')
 					->addDefaultsIfNotSet()
 					->children()
+						->booleanNode('force_sid')->defaultValue(false)->end()
 						->booleanNode('log_errors')->defaultValue(false)->end()
 					->end()
 				->end()

phpBB/phpbb/log/log.php

@@ -748,7 +748,7 @@ class log implements \phpbb\log\log_interface
 			{
 				$log[$key]['viewtopic'] = (isset($topic_auth['f_read'][$row['topic_id']])) ? append_sid("{$this->phpbb_root_path}viewtopic.{$this->php_ext}", 'f=' . $topic_auth['f_read'][$row['topic_id']] . '&t=' . $row['topic_id']) : false;
 				$log[$key]['viewpost'] = (isset($topic_auth['f_read'][$row['topic_id']]) && $row['post_id']) ? append_sid("{$this->phpbb_root_path}viewtopic.{$this->php_ext}", 'f=' . $topic_auth['f_read'][$row['topic_id']] . '&t=' . $row['topic_id'] . '&p=' . $row['post_id'] . '#p' . $row['post_id']) : false;
-				$log[$key]['viewlogs'] = (isset($topic_auth['m_'][$row['topic_id']])) ? append_sid("{$this->phpbb_root_path}mcp.{$this->php_ext}", 'i=logs&mode=topic_logs&t=' . $row['topic_id'], true, $this->user->session_id) : false;
+				$log[$key]['viewlogs'] = (isset($topic_auth['m_'][$row['topic_id']])) ? append_sid("{$this->phpbb_root_path}mcp.{$this->php_ext}", 'i=logs&mode=topic_logs&t=' . $row['topic_id']) : false;
 			}
 		}
 

phpBB/phpbb/session.php

@@ -272,8 +272,8 @@ class session
 			$this->cookie_data['k'] = $request->variable($config['cookie_name'] . '_k', '', false, \phpbb\request\request_interface::COOKIE);
 			$this->session_id 		= $request->variable($config['cookie_name'] . '_sid', '', false, \phpbb\request\request_interface::COOKIE);
 
-			$SID = (defined('NEED_SID')) ? '?sid=' . $this->session_id : '?sid=';
-			$_SID = (defined('NEED_SID')) ? $this->session_id : '';
+			$SID = '?sid=';
+			$_SID = '';
 
 			if (empty($this->session_id))
 			{
@@ -343,14 +343,6 @@ class session
 			}
 		}
 
-		// if no session id is set, redirect to index.php
-		$session_id = $request->variable('sid', '');
-		if (defined('NEED_SID') && (empty($session_id) || $this->session_id !== $session_id))
-		{
-			send_status_line(401, 'Unauthorized');
-			redirect(append_sid("{$phpbb_root_path}index.$phpEx"));
-		}
-
 		// if session id is set
 		if (!empty($this->session_id))
 		{
@@ -791,8 +783,11 @@ class session
 		}
 
 		// refresh data
-		$SID = '?sid=' . $this->session_id;
-		$_SID = $this->session_id;
+		if ($phpbb_container->getParameter('session.force_sid'))
+		{
+			$SID = '?sid=' . $this->session_id;
+			$_SID = $this->session_id;
+		}
 		$this->data = array_merge($this->data, $sql_ary);
 
 		if (!$bot)
@@ -833,8 +828,11 @@ class session
 				WHERE user_id = ' . (int) $this->data['user_id'];
 			$db->sql_query($sql);
 
-			$SID = '?sid=';
-			$_SID = '';
+			if ($phpbb_container->getParameter('session.force_sid'))
+			{
+				$SID = '?sid=';
+				$_SID = '';
+			}
 		}
 
 		$session_data = $sql_ary;