Project

General

Profile

Download (2.44 KB)

Bug #19867 » bug_10205_v3.diff

Administrator Admin, 2009-01-23 09:02

View differences:

t3lib/class.t3lib_userauth.php (Arbeitskopie)
// If new session or client tries to fix session...
if (!$id || !$this->isExistingSessionRecord($id)) {
// New random session-$id is made
$id = substr(md5(uniqid('').getmypid()),0,$this->hash_length);
// New session
$id = substr(md5(uniqid('').getmypid()),0,$this->hash_length);
// New session
$this->newSessionID = TRUE;
}
typo3/sysext/cms/tslib/class.tslib_feuserauth.php (Arbeitskopie)
* @see storeSessionData()
*/
function fetchSessionData() {
// Gets SesData if any
if ($this->id) {
// Gets SesData if any AND if not already selected by session fixation check in ->isExistingSessionRecord()
if ($this->id && !count($this->sesData)) {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'fe_session_data', 'hash='.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, 'fe_session_data'));
if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
$this->sesData = unserialize($sesDataRow['content']);
......
}
}
}
/**
* Determine whether there's an according session record to a given session_id
* in the database. Don't care if session record is still valid or not.
*
* This calls the parent function but does an additional check:
* On non-authenticated systems ($this->lifetime == 0), look up the session ID in the "fe_session_data" table.
*
* @return boolean
*/
function isExistingSessionRecord($id) {
$count = false;
if ($this->lifetime == 0) {
// Pass if the lifetime is 0 (= it is a non-authenticated user session)
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'content',
'fe_session_data',
'hash=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, 'fe_session_data')
);
if ($dbres !== false) {
if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
$count = true;
$this->sesData = unserialize($sesDataRow['content']);
}
}
} else {
$count = parent::isExistingSessionRecord($id);
}
return $count;
}
}
(5-5/8)