Shared http/https sessions by rob richards from the forums

2007-02-08 12:08:43 +00:00 · 2007-02-08 12:08:43 +00:00 · 742fd47078
commit 742fd47078
parent a6c06ba22a
6 changed files with 34 additions and 12 deletions
--- a/docs/NEWS
+++ b/docs/NEWS
@ -3,6 +3,11 @@
 Version 1.2 ()
 ------------------------------------------------------------------------

+    * Support shared http/https sessions. Performing admin actions will
+      only be allowed (through tokens) on the protocol that was used for
+      login. Patch by Rob Richards
+      (http://board.s9y.org/viewtopic.php?p=49276)
+
    * Added PDO:PostgreSQL support (Theo Schlossnagle)

    * Dutch translation update with many fixes by Sam Geeraerts
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@ -436,6 +436,12 @@ function serendipity_checkAutologin($ident, $iv) {
    return $cookie;
 }

+function serendipity_setAuthorToken() {
+        $hash = sha1(uniqid(rand(), true));
+        serendipity_setCookie('author_token', $hash);
+        $_SESSION['author_token'] = $hash;
+}
+
 /**
 * Perform user authentication routine
 *
@ -479,7 +485,10 @@ function serendipity_authenticate_author($username = '', $password = '', $is_md5
        $row =& serendipity_db_query($query, true, 'assoc');

        if (is_array($row)) {
-            serendipity_setCookie('old_session', session_id());
+            serendipity_setCookie('old_session', session_id(), false);
+            if (!$is_md5) {
+                serendipity_setAuthorToken();
+            }
            $_SESSION['serendipityUser']        = $serendipity['serendipityUser']         = $username;
            $_SESSION['serendipityRealname']    = $serendipity['serendipityRealname']     = $row['realname'];
            $_SESSION['serendipityPassword']    = $serendipity['serendipityPassword']     = $password;
@ -560,10 +569,14 @@ function serendipity_JSsetCookie($name, $value) {
 * @param   string      The contents of the cookie variable
 * @return null
 */
-function serendipity_setCookie($name,$value) {
+function serendipity_setCookie($name, $value, $securebyprot = true) {
    global $serendipity;

-    $secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;
+    if ($securebyprot) {
+        $secure = (strtolower($_SERVER['HTTPS']) == 'on') ? true : false;
+    } else {
+        $secure = false;
+    }
    setcookie("serendipity[$name]", $value, time()+60*60*24*30, $serendipity['serendipityHTTPPath'], $_SERVER['HTTP_HOST'], $secure);
    $_COOKIE[$name] = $value;
    $serendipity['COOKIE'][$name] = $value;
--- a/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php
+++ b/plugins/serendipity_event_templatechooser/serendipity_event_templatechooser.php
@ -60,7 +60,7 @@ class serendipity_event_templatechooser extends serendipity_event

                if (isset($_REQUEST['user_template']) && (in_array($_REQUEST['user_template'], serendipity_fetchTemplates())) ) {
                    $_SESSION['serendipityUseTemplate'] = $_REQUEST['user_template'];
-                    serendipity_setCookie('user_template', $_REQUEST['user_template']);
+                    serendipity_setCookie('user_template', $_REQUEST['user_template'], false);
                }

                if (isset($_SESSION['serendipityUseTemplate']) ) {
--- a/rss.php
+++ b/rss.php
@ -231,7 +231,7 @@ switch($version) {

    case 'atom1.0':
        // For people wanting extra RFC compliance
-        // header('Content-Type: application/atom+xml; charset=utf8');
+        // header('Content-Type: application/atom+xml; charset=utf-8');
        $namespace_hook = 'frontend_display:atom-1.0:namespace';
        break;
 }
--- a/serendipity_admin.php
+++ b/serendipity_admin.php
@ -25,9 +25,17 @@ if (IS_installed === false) {
 if (isset($serendipity['GET']['adminModule']) && $serendipity['GET']['adminModule'] == 'logout') {
    serendipity_logout();
 } else {
-    if (IS_installed === true && !serendipity_userLoggedIn()) {
-        // Try again to log in, this time with enabled external authentication event hook
-        serendipity_login(true);
+    if (IS_installed === true) {
+        /* Check author token to insure session not hijacked */
+        if (!isset($_SESSION['author_token']) || !isset($serendipity['COOKIE']['author_token']) || 
+            ($_SESSION['author_token'] !== $serendipity['COOKIE']['author_token'])) {
+            $_SESSION['serendipityAuthedUser'] = false;
+            @session_destroy();
+        }
+        if (!serendipity_userLoggedIn()) {
+            // Try again to log in, this time with enabled external authentication event hook
+            serendipity_login(true);
+        }
    }
 }

--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@ -9,10 +9,6 @@ if (defined('S9Y_FRAMEWORK')) {
@define('S9Y_FRAMEWORK', true);

 if (!headers_sent()) {
-    if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
-        @ini_set('session.name', 'SSLSID');
-        @ini_set('session.cookie_secure', '1');
-    }
    session_start();
 }