moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 16:36:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixed session fixation prevention that was broken after cookieless patch SC#205

Browse source
This commit is contained in:
skodak 2005-12-28 19:05:46 +00:00
parent 9e1c2ba45c
commit 16303ee905
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
lib/setup.php
View file

@ -330,8 +330,9 @@ $CFG->httpswwwroot = $CFG->wwwroot;
class object {};
if (empty($CFG->usesid) && !empty($_COOKIE['MoodleSession'.$CFG->sessioncookie]) )
{
//discard session ID from POST, GET and globals to tighten security,
//this session fixation prevention can not be used in cookieless mode
if (empty($CFG->usesid)) {
unset(${'MoodleSession'.$CFG->sessioncookie});
unset($_GET['MoodleSession'.$CFG->sessioncookie]);
unset($_POST['MoodleSession'.$CFG->sessioncookie]);
@ -343,8 +344,7 @@ $CFG->httpswwwroot = $CFG->wwwroot;
if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] == "deleted") {
unset($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]);
}
if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]))
{
if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
require_once("$CFG->dirroot/lib/cookieless.php");
sid_start_ob();
}
@ -409,10 +409,10 @@ $CFG->httpswwwroot = $CFG->wwwroot;
theme_setup(); // Sets up theme global variables
/// now do a session test to prevent random user switching
if ($SESSION != NULL) {
//only do test if MoodleSessionTest cookie is set and usesid is on, or when usesid is off
if ((!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]) && !empty($CFG->usesid))||empty($CFG->usesid) ) {
/// now do a session test to prevent random user switching - observed on some PHP/Apache combinations,
/// disable checks when working in cookieless mode
if (empty($CFG->usesid) || !empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
if ($SESSION != NULL) {
if (empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) {
report_session_error();
} else if (isset($SESSION->session_test) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] != $SESSION->session_test) {