moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-05 00:46:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixed session fixation prevention that was broken after cookieless patch SC#205

Browse source
This commit is contained in:
skodak 2005-12-28 19:05:46 +00:00
parent 9e1c2ba45c
commit 16303ee905
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
lib/setup.php
View file

@ -330,8 +330,9 @@ $CFG->httpswwwroot = $CFG->wwwroot;
class object {}; class object {};
if (empty($CFG->usesid) && !empty($_COOKIE['MoodleSession'.$CFG->sessioncookie]) ) //discard session ID from POST, GET and globals to tighten security,
{ //this session fixation prevention can not be used in cookieless mode
if (empty($CFG->usesid)) {
unset(${'MoodleSession'.$CFG->sessioncookie}); unset(${'MoodleSession'.$CFG->sessioncookie});
unset($_GET['MoodleSession'.$CFG->sessioncookie]); unset($_GET['MoodleSession'.$CFG->sessioncookie]);
unset($_POST['MoodleSession'.$CFG->sessioncookie]); unset($_POST['MoodleSession'.$CFG->sessioncookie]);
@ -343,8 +344,7 @@ $CFG->httpswwwroot = $CFG->wwwroot;
if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] == "deleted") { if (!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] == "deleted") {
unset($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]); unset($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]);
} }
if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) if (!empty($CFG->usesid) && empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
{
require_once("$CFG->dirroot/lib/cookieless.php"); require_once("$CFG->dirroot/lib/cookieless.php");
sid_start_ob(); sid_start_ob();
} }
@ -409,10 +409,10 @@ $CFG->httpswwwroot = $CFG->wwwroot;
theme_setup(); // Sets up theme global variables theme_setup(); // Sets up theme global variables
/// now do a session test to prevent random user switching /// now do a session test to prevent random user switching - observed on some PHP/Apache combinations,
/// disable checks when working in cookieless mode
if (empty($CFG->usesid) || !empty($_COOKIE['MoodleSession'.$CFG->sessioncookie])) {
if ($SESSION != NULL) { if ($SESSION != NULL) {
//only do test if MoodleSessionTest cookie is set and usesid is on, or when usesid is off
if ((!empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie]) && !empty($CFG->usesid))||empty($CFG->usesid) ) {
if (empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) { if (empty($_COOKIE['MoodleSessionTest'.$CFG->sessioncookie])) {
report_session_error(); report_session_error();
} else if (isset($SESSION->session_test) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] != $SESSION->session_test) { } else if (isset($SESSION->session_test) && $_COOKIE['MoodleSessionTest'.$CFG->sessioncookie] != $SESSION->session_test) {