[UTIL] Fix up common_ensure_session()

Give priority to cookies over GET.

Make sure session ids have only expected characters
(PHP file session handler's limitation).

Replace a mostly useless log warning with a debug message.
This commit is contained in:
Alexei Sorokin 2020-08-06 21:54:49 +03:00 committed by Diogo Peralta Cordeiro
parent 881ea12f3f
commit 8c939b70cc

View File

@ -287,20 +287,33 @@ function common_ensure_session()
if (common_config('sessions', 'handle')) { if (common_config('sessions', 'handle')) {
session_set_save_handler(new InternalSessionHandler(), true); session_set_save_handler(new InternalSessionHandler(), true);
} }
if (array_key_exists(session_name(), $_GET)) { $session_name = session_name();
$id = $_GET[session_name()]; $id = null;
} elseif (array_key_exists(session_name(), $_COOKIE)) { foreach ([INPUT_COOKIE, INPUT_GET] as $input_type) {
$id = $_COOKIE[session_name()]; // PHP's session handler only accepts symbols from
// "A" to "Z", "a" to "Z", the comma sign and the minus sign.
$id = filter_input(
$input_type,
$session_name,
FILTER_VALIDATE_REGEXP,
['options' => ['regexp' => '/^[,\-A-Za-z0-9]+$/D']]
);
// Found the session (null is suspicious, so stop at that also)
if ($id !== false) {
break;
} }
if (isset($id)) { }
if (!is_null($id)) {
session_id($id); session_id($id);
} }
session_start(); session_start();
if (!isset($_SESSION['started'])) { if (!array_key_exists('started', $_SESSION)) {
$_SESSION['started'] = time(); $_SESSION['started'] = time();
if (!empty($id)) { if (!is_null($id)) {
common_log(LOG_WARNING, 'Session cookie "' . $_COOKIE[session_name()] . '" ' . common_debug(
' is set but started value is null'); 'Session cookie "' . $id . '" is set but without a session'
);
} }
} }
} }