[UTIL] Fix up common_ensure_session()
Give priority to cookies over GET. Make sure session ids have only expected characters (PHP file session handler's limitation). Replace a mostly useless log warning with a debug message.
This commit is contained in:
parent
881ea12f3f
commit
8c939b70cc
@ -287,20 +287,33 @@ function common_ensure_session()
|
||||
if (common_config('sessions', 'handle')) {
|
||||
session_set_save_handler(new InternalSessionHandler(), true);
|
||||
}
|
||||
if (array_key_exists(session_name(), $_GET)) {
|
||||
$id = $_GET[session_name()];
|
||||
} elseif (array_key_exists(session_name(), $_COOKIE)) {
|
||||
$id = $_COOKIE[session_name()];
|
||||
$session_name = session_name();
|
||||
$id = null;
|
||||
foreach ([INPUT_COOKIE, INPUT_GET] as $input_type) {
|
||||
// PHP's session handler only accepts symbols from
|
||||
// "A" to "Z", "a" to "Z", the comma sign and the minus sign.
|
||||
$id = filter_input(
|
||||
$input_type,
|
||||
$session_name,
|
||||
FILTER_VALIDATE_REGEXP,
|
||||
['options' => ['regexp' => '/^[,\-A-Za-z0-9]+$/D']]
|
||||
);
|
||||
// Found the session (null is suspicious, so stop at that also)
|
||||
if ($id !== false) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (isset($id)) {
|
||||
|
||||
if (!is_null($id)) {
|
||||
session_id($id);
|
||||
}
|
||||
session_start();
|
||||
if (!isset($_SESSION['started'])) {
|
||||
if (!array_key_exists('started', $_SESSION)) {
|
||||
$_SESSION['started'] = time();
|
||||
if (!empty($id)) {
|
||||
common_log(LOG_WARNING, 'Session cookie "' . $_COOKIE[session_name()] . '" ' .
|
||||
' is set but started value is null');
|
||||
if (!is_null($id)) {
|
||||
common_debug(
|
||||
'Session cookie "' . $id . '" is set but without a session'
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user