[UTIL] Fix up common_ensure_session()
Give priority to cookies over GET. Make sure session ids have only expected characters (PHP file session handler's limitation). Replace a mostly useless log warning with a debug message.
This commit is contained in:
parent
881ea12f3f
commit
8c939b70cc
@ -287,20 +287,33 @@ function common_ensure_session()
|
|||||||
if (common_config('sessions', 'handle')) {
|
if (common_config('sessions', 'handle')) {
|
||||||
session_set_save_handler(new InternalSessionHandler(), true);
|
session_set_save_handler(new InternalSessionHandler(), true);
|
||||||
}
|
}
|
||||||
if (array_key_exists(session_name(), $_GET)) {
|
$session_name = session_name();
|
||||||
$id = $_GET[session_name()];
|
$id = null;
|
||||||
} elseif (array_key_exists(session_name(), $_COOKIE)) {
|
foreach ([INPUT_COOKIE, INPUT_GET] as $input_type) {
|
||||||
$id = $_COOKIE[session_name()];
|
// PHP's session handler only accepts symbols from
|
||||||
|
// "A" to "Z", "a" to "Z", the comma sign and the minus sign.
|
||||||
|
$id = filter_input(
|
||||||
|
$input_type,
|
||||||
|
$session_name,
|
||||||
|
FILTER_VALIDATE_REGEXP,
|
||||||
|
['options' => ['regexp' => '/^[,\-A-Za-z0-9]+$/D']]
|
||||||
|
);
|
||||||
|
// Found the session (null is suspicious, so stop at that also)
|
||||||
|
if ($id !== false) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (isset($id)) {
|
|
||||||
|
if (!is_null($id)) {
|
||||||
session_id($id);
|
session_id($id);
|
||||||
}
|
}
|
||||||
session_start();
|
session_start();
|
||||||
if (!isset($_SESSION['started'])) {
|
if (!array_key_exists('started', $_SESSION)) {
|
||||||
$_SESSION['started'] = time();
|
$_SESSION['started'] = time();
|
||||||
if (!empty($id)) {
|
if (!is_null($id)) {
|
||||||
common_log(LOG_WARNING, 'Session cookie "' . $_COOKIE[session_name()] . '" ' .
|
common_debug(
|
||||||
' is set but started value is null');
|
'Session cookie "' . $id . '" is set but without a session'
|
||||||
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user