Fixed Issue#86

7 files changed, 17 insertions, 6 deletions

diff --git a/HISTORY b/HISTORY
index e8256553..e602d3b7 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,5 +1,6 @@
 Version 3.1.7 To be released
 BUG: Issue#80  - Inconsistencies in TRegularExpressionValidator (Christophe)
+BUG: Issue#86  - THttpSession.CookieMode ignored / Session ID leak (Christophe)
 BUG: Issue#151 - TTextBox fails to display inital line break (Yves)
 BUG: Issue#153 - Bug with calls like MyActiveRedorc->withText()->withUser()->find(...) and null result (Christophe)
 BUG: Issue#157 - Enabled does not work properly on TActiveRadioButton/CheckBoxList controls (Bradley, Carl)
diff --git a/framework/Exceptions/messages/messages-fr.txt b/framework/Exceptions/messages/messages-fr.txt
index 82507b1a..5dce3812 100644
--- a/framework/Exceptions/messages/messages-fr.txt
+++ b/framework/Exceptions/messages/messages-fr.txt
@@ -71,6 +71,7 @@ httpsession_autostart_unchangeable		= THttpSession.AutoStart ne peut pas être m
 httpsession_gcprobability_unchangeable	= THttpSession.GCProbability ne peut pas être modifié après que la session ait démarré.
 httpsession_gcprobability_invalid		= THttpSession.GCProbability doit être un entier compris entre 0 et 100.
 httpsession_transid_unchangeable		= THttpSession.UseTransparentSessionID ne peut pas être modifié après que la session ait démarré.
+httpsession_transid_cookieonly			= THttpSession.UseTransparentSessionID ne peut pas être utilisé quand THttpSession.CookieMode est fixé à "Only".
 httpsession_maxlifetime_unchangeable	= THttpSession.Timeout ne peut pas être modifié après que la session ait démarré.
 
 assetmanager_basepath_invalid			= TAssetManager.BasePath '{0}' est invalide. Vérifier qu'il est bien au format 'namespace' et qu'il pointe bien vers un répertoire accessible en écriture par le propriétaire du processus serveur Web
diff --git a/framework/Exceptions/messages/messages-id.txt b/framework/Exceptions/messages/messages-id.txt
index fb57a5ba..61699ddd 100644
--- a/framework/Exceptions/messages/messages-id.txt
+++ b/framework/Exceptions/messages/messages-id.txt
@@ -71,6 +71,7 @@ httpsession_autostart_unchangeable	= THttpSession.AutoStart tidak bisa diubah se
 httpsession_gcprobability_unchangeable	= THttpSession.GCProbability tidak bisa diubah setelah sesi dimulai.

 httpsession_gcprobability_invalid	= THttpSession.GCProbability harus integer antara 0 dan 100.

 httpsession_transid_unchangeable	= THttpSession.UseTransparentSessionID tidak bisa diubah setelah sesi dimulai.

+httpsession_transid_cookieonly			= THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only.

 httpsession_maxlifetime_unchangeable	= THttpSession.Timeout tidak bisa diubah setelah sesi dimulai.

 

 assetmanager_basepath_invalid		= TAssetManager.BasePath '{0}' tidak benar. Pastikan ia dalam bentuk namespace dan mengarah ke direktori yang bisa ditulis oleh proses server Web.

diff --git a/framework/Exceptions/messages/messages-zh.txt b/framework/Exceptions/messages/messages-zh.txt
index d9a61083..1859aa92 100644
--- a/framework/Exceptions/messages/messages-zh.txt
+++ b/framework/Exceptions/messages/messages-zh.txt
@@ -76,6 +76,7 @@ httpsession_autostart_unchangeable		= THttpSession.AutoStart无法被修改，�
 httpsession_gcprobability_unchangeable	= THttpSession.GCProbability无法被修改，因为session已经启动了。
 httpsession_gcprobability_invalid		= THttpSession.GCProbability必须是个0到100之间的整数。
 httpsession_transid_unchangeable		= THttpSession.UseTransparentSessionID无法被修改，因为session已经启动了。
+httpsession_transid_cookieonly			= THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only.
 httpsession_maxlifetime_unchangeable	= THttpSession.Timeout无法被修改，因为session已经启动了。
 
 assetmanager_basepath_invalid			= TAssetManager.BasePath所指路径“{0}”非法。请确认它以命名空间方式指定，并且它所对应的文件目录可以被Web服务器进程写入。
diff --git a/framework/Exceptions/messages/messages.txt b/framework/Exceptions/messages/messages.txt
index 425979a3..0750c38d 100644
--- a/framework/Exceptions/messages/messages.txt
+++ b/framework/Exceptions/messages/messages.txt
@@ -76,6 +76,7 @@ httpsession_autostart_unchangeable		= THttpSession.AutoStart cannot be modified
 httpsession_gcprobability_unchangeable	= THttpSession.GCProbability cannot be modified after the session is started.
 httpsession_gcprobability_invalid		= THttpSession.GCProbability must be an integer between 0 and 100.
 httpsession_transid_unchangeable		= THttpSession.UseTransparentSessionID cannot be modified after the session is started.
+httpsession_transid_cookieonly			= THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only.
 httpsession_maxlifetime_unchangeable	= THttpSession.Timeout cannot be modified after the session is started.
 
 assetmanager_basepath_invalid			= TAssetManager.BasePath '{0}' is invalid. Make sure it is in namespace form and points to a directory writable by the Web server process.
diff --git a/framework/Web/THttpRequest.php b/framework/Web/THttpRequest.php
index 7100a4c5..c3926d08 100644
--- a/framework/Web/THttpRequest.php
+++ b/framework/Web/THttpRequest.php
@@ -105,7 +105,7 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar
 	/**
 	 * @var boolean whether the session ID should be kept in cookie only
 	 */
-	private $_cookieOnly=false;
+	private $_cookieOnly=null;
 	private $_urlFormat=THttpRequestUrlFormat::Get;
 	private $_services;
 	private $_requestResolved=false;
@@ -172,8 +172,6 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar
 			$_SERVER['HTTP_USER_AGENT']='';
 		}
 
-		$this->_cookieOnly=(int)ini_get('session.use_cookies') && (int)ini_get('session.use_only_cookies');
-
 		// Info about server variables:
 		// PHP_SELF contains real URI (w/ path info, w/o query string)
 		// SCRIPT_NAME is the real URI for the requested script (w/o path info and query string)
@@ -568,6 +566,8 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar
 	 */
 	public function constructUrl($serviceID,$serviceParam,$getItems=null,$encodeAmpersand=true,$encodeGetItems=true)
 	{
+		if ($this->_cookieOnly===null)
+				$this->_cookieOnly=(int)ini_get('session.use_cookies') && (int)ini_get('session.use_only_cookies');
 		$url=$this->_urlManager->constructUrl($serviceID,$serviceParam,$getItems,$encodeAmpersand,$encodeGetItems);
 		if(defined('SID') && SID != '' && !$this->_cookieOnly)
 			return $url . (strpos($url,'?')===false? '?' : ($encodeAmpersand?'&':'&')) . SID;
diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php
index 96d70704..e9f815e5 100644
--- a/framework/Web/THttpSession.php
+++ b/framework/Web/THttpSession.php
@@ -4,7 +4,7 @@
  *

  * @author Qiang Xue <qiang.xue@gmail.com>

  * @link http://www.pradosoft.com/

- * @copyright Copyright &copy; 2005-2008 PradoSoft
+ * @copyright Copyright &copy; 2005-2008 PradoSoft

  * @license http://www.pradosoft.com/license/

  * @version $Id$

  * @package System.Web

@@ -115,7 +115,7 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar
 		if($this->_autoStart)

 			$this->open();

 		$this->_initialized=true;

-		$this->getApplication()->setSession($this);
+		$this->getApplication()->setSession($this);

 		register_shutdown_function(array($this, "close"));

 	}

 

@@ -296,6 +296,7 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar
 			{

 				ini_set('session.use_cookies','1');

 				ini_set('session.use_only_cookies','1');

+				ini_set('session.use_trans_sid', 0);

 			}

 		}

 	}

@@ -366,7 +367,12 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar
 		if($this->_started)

 			throw new TInvalidOperationException('httpsession_transid_unchangeable');

 		else

-			ini_set('session.use_trans_sid',TPropertyValue::ensureBoolean($value)?'1':'0');

+		{

+			$value=TPropertyValue::ensureBoolean($value);

+			if ($value && $this->getCookieMode()==THttpSessionCookieMode::Only)

+					throw new TInvalidOperationException('httpsession_transid_cookieonly');

+			ini_set('session.use_trans_sid',$value?'1':'0');

+		}

 	}

 

 	/**