mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 05:58:34 +01:00
Code Issues Projects Releases Wiki Activity

MDL-28630 prevent session breakage caused by incorrect cookie settings

Browse Source
This commit is contained in:
Petr Skoda 2011-08-06 22:22:52 +02:00
parent 3fdc622697
commit 988fc20eef
2 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
admin/settings/server.php
View File

@ -48,8 +48,8 @@ $temp->add(new admin_setting_configselect('sessiontimeout', get_string('sessiont
900 => get_string('numminutes', '', 15),
300 => get_string('numminutes', '', 5))));
$temp->add(new admin_setting_configtext('sessioncookie', get_string('sessioncookie', 'admin'), get_string('configsessioncookie', 'admin'), '', PARAM_ALPHANUM));
$temp->add(new admin_setting_configtext('sessioncookiepath', get_string('sessioncookiepath', 'admin'), get_string('configsessioncookiepath', 'admin'), '/', PARAM_LOCALURL));
$temp->add(new admin_setting_configtext('sessioncookiedomain', get_string('sessioncookiedomain', 'admin'), get_string('configsessioncookiedomain', 'admin'), '', PARAM_TEXT, 50));
$temp->add(new admin_setting_configtext('sessioncookiepath', get_string('sessioncookiepath', 'admin'), get_string('configsessioncookiepath', 'admin'), '', PARAM_RAW));
$temp->add(new admin_setting_configtext('sessioncookiedomain', get_string('sessioncookiedomain', 'admin'), get_string('configsessioncookiedomain', 'admin'), '', PARAM_RAW, 50));
$ADMIN->add('server', $temp);

31
lib/sessionlib.php
View File

@ -279,11 +279,40 @@ abstract class session_stub implements moodle_session {
if (!isset($CFG->sessioncookie)) {
$CFG->sessioncookie = '';
}
// make sure cookie domain makes sense for this wwwroot
if (!isset($CFG->sessioncookiedomain)) {
$CFG->sessioncookiedomain = '';
} else if ($CFG->sessioncookiedomain !== '') {
$host = parse_url($CFG->wwwroot, PHP_URL_HOST);
if ($CFG->sessioncookiedomain !== $host) {
if (substr($CFG->sessioncookiedomain, 0, 1) === '.') {
if (!preg_match('|^.*'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {
// invalid domain - it must be end part of host
$CFG->sessioncookiedomain = '';
}
} else {
if (!preg_match('|^.*\.'.preg_quote($CFG->sessioncookiedomain, '|').'$|', $host)) {
// invalid domain - it must be end part of host
$CFG->sessioncookiedomain = '';
}
}
}
}
// make sure the cookiepath is valid for this wwwroot or autodetect if not specified
if (!isset($CFG->sessioncookiepath)) {
$CFG->sessioncookiepath = '/';
$CFG->sessioncookiepath = '';
}
if ($CFG->sessioncookiepath !== '/') {
$path = parse_url($CFG->wwwroot, PHP_URL_PATH).'/';
if ($CFG->sessioncookiepath === '') {
$CFG->sessioncookiepath = $path;
} else {
if (strpos($path, $CFG->sessioncookiepath) !== 0 or substr($CFG->sessioncookiepath, -1) !== '/') {
$CFG->sessioncookiepath = $path;
}
}
}
//discard session ID from POST, GET and globals to tighten security,