summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--HISTORY1
-rw-r--r--framework/Exceptions/messages/messages-fr.txt1
-rw-r--r--framework/Exceptions/messages/messages-id.txt1
-rw-r--r--framework/Exceptions/messages/messages-zh.txt1
-rw-r--r--framework/Exceptions/messages/messages.txt1
-rw-r--r--framework/Web/THttpRequest.php6
-rw-r--r--framework/Web/THttpSession.php12
7 files changed, 17 insertions, 6 deletions
diff --git a/HISTORY b/HISTORY
index e8256553..e602d3b7 100644
--- a/HISTORY
+++ b/HISTORY
@@ -1,5 +1,6 @@
Version 3.1.7 To be released
BUG: Issue#80 - Inconsistencies in TRegularExpressionValidator (Christophe)
+BUG: Issue#86 - THttpSession.CookieMode ignored / Session ID leak (Christophe)
BUG: Issue#151 - TTextBox fails to display inital line break (Yves)
BUG: Issue#153 - Bug with calls like MyActiveRedorc->withText()->withUser()->find(...) and null result (Christophe)
BUG: Issue#157 - Enabled does not work properly on TActiveRadioButton/CheckBoxList controls (Bradley, Carl)
diff --git a/framework/Exceptions/messages/messages-fr.txt b/framework/Exceptions/messages/messages-fr.txt
index 82507b1a..5dce3812 100644
--- a/framework/Exceptions/messages/messages-fr.txt
+++ b/framework/Exceptions/messages/messages-fr.txt
@@ -71,6 +71,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart ne peut pas être m
httpsession_gcprobability_unchangeable = THttpSession.GCProbability ne peut pas être modifié après que la session ait démarré.
httpsession_gcprobability_invalid = THttpSession.GCProbability doit être un entier compris entre 0 et 100.
httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID ne peut pas être modifié après que la session ait démarré.
+httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID ne peut pas être utilisé quand THttpSession.CookieMode est fixé à "Only".
httpsession_maxlifetime_unchangeable = THttpSession.Timeout ne peut pas être modifié après que la session ait démarré.
assetmanager_basepath_invalid = TAssetManager.BasePath '{0}' est invalide. Vérifier qu'il est bien au format 'namespace' et qu'il pointe bien vers un répertoire accessible en écriture par le propriétaire du processus serveur Web
diff --git a/framework/Exceptions/messages/messages-id.txt b/framework/Exceptions/messages/messages-id.txt
index fb57a5ba..61699ddd 100644
--- a/framework/Exceptions/messages/messages-id.txt
+++ b/framework/Exceptions/messages/messages-id.txt
@@ -71,6 +71,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart tidak bisa diubah se
httpsession_gcprobability_unchangeable = THttpSession.GCProbability tidak bisa diubah setelah sesi dimulai.
httpsession_gcprobability_invalid = THttpSession.GCProbability harus integer antara 0 dan 100.
httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID tidak bisa diubah setelah sesi dimulai.
+httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only.
httpsession_maxlifetime_unchangeable = THttpSession.Timeout tidak bisa diubah setelah sesi dimulai.
assetmanager_basepath_invalid = TAssetManager.BasePath '{0}' tidak benar. Pastikan ia dalam bentuk namespace dan mengarah ke direktori yang bisa ditulis oleh proses server Web.
diff --git a/framework/Exceptions/messages/messages-zh.txt b/framework/Exceptions/messages/messages-zh.txt
index d9a61083..1859aa92 100644
--- a/framework/Exceptions/messages/messages-zh.txt
+++ b/framework/Exceptions/messages/messages-zh.txt
@@ -76,6 +76,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart无法被修改,
httpsession_gcprobability_unchangeable = THttpSession.GCProbability无法被修改,因为session已经启动了。
httpsession_gcprobability_invalid = THttpSession.GCProbability必须是个0到100之间的整数。
httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID无法被修改,因为session已经启动了。
+httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only.
httpsession_maxlifetime_unchangeable = THttpSession.Timeout无法被修改,因为session已经启动了。
assetmanager_basepath_invalid = TAssetManager.BasePath所指路径“{0}”非法。请确认它以命名空间方式指定,并且它所对应的文件目录可以被Web服务器进程写入。
diff --git a/framework/Exceptions/messages/messages.txt b/framework/Exceptions/messages/messages.txt
index 425979a3..0750c38d 100644
--- a/framework/Exceptions/messages/messages.txt
+++ b/framework/Exceptions/messages/messages.txt
@@ -76,6 +76,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart cannot be modified
httpsession_gcprobability_unchangeable = THttpSession.GCProbability cannot be modified after the session is started.
httpsession_gcprobability_invalid = THttpSession.GCProbability must be an integer between 0 and 100.
httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID cannot be modified after the session is started.
+httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only.
httpsession_maxlifetime_unchangeable = THttpSession.Timeout cannot be modified after the session is started.
assetmanager_basepath_invalid = TAssetManager.BasePath '{0}' is invalid. Make sure it is in namespace form and points to a directory writable by the Web server process.
diff --git a/framework/Web/THttpRequest.php b/framework/Web/THttpRequest.php
index 7100a4c5..c3926d08 100644
--- a/framework/Web/THttpRequest.php
+++ b/framework/Web/THttpRequest.php
@@ -105,7 +105,7 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar
/**
* @var boolean whether the session ID should be kept in cookie only
*/
- private $_cookieOnly=false;
+ private $_cookieOnly=null;
private $_urlFormat=THttpRequestUrlFormat::Get;
private $_services;
private $_requestResolved=false;
@@ -172,8 +172,6 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar
$_SERVER['HTTP_USER_AGENT']='';
}
- $this->_cookieOnly=(int)ini_get('session.use_cookies') && (int)ini_get('session.use_only_cookies');
-
// Info about server variables:
// PHP_SELF contains real URI (w/ path info, w/o query string)
// SCRIPT_NAME is the real URI for the requested script (w/o path info and query string)
@@ -568,6 +566,8 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar
*/
public function constructUrl($serviceID,$serviceParam,$getItems=null,$encodeAmpersand=true,$encodeGetItems=true)
{
+ if ($this->_cookieOnly===null)
+ $this->_cookieOnly=(int)ini_get('session.use_cookies') && (int)ini_get('session.use_only_cookies');
$url=$this->_urlManager->constructUrl($serviceID,$serviceParam,$getItems,$encodeAmpersand,$encodeGetItems);
if(defined('SID') && SID != '' && !$this->_cookieOnly)
return $url . (strpos($url,'?')===false? '?' : ($encodeAmpersand?'&':'&')) . SID;
diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php
index 96d70704..e9f815e5 100644
--- a/framework/Web/THttpSession.php
+++ b/framework/Web/THttpSession.php
@@ -4,7 +4,7 @@
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link http://www.pradosoft.com/
- * @copyright Copyright &copy; 2005-2008 PradoSoft
+ * @copyright Copyright &copy; 2005-2008 PradoSoft
* @license http://www.pradosoft.com/license/
* @version $Id$
* @package System.Web
@@ -115,7 +115,7 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar
if($this->_autoStart)
$this->open();
$this->_initialized=true;
- $this->getApplication()->setSession($this);
+ $this->getApplication()->setSession($this);
register_shutdown_function(array($this, "close"));
}
@@ -296,6 +296,7 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar
{
ini_set('session.use_cookies','1');
ini_set('session.use_only_cookies','1');
+ ini_set('session.use_trans_sid', 0);
}
}
}
@@ -366,7 +367,12 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar
if($this->_started)
throw new TInvalidOperationException('httpsession_transid_unchangeable');
else
- ini_set('session.use_trans_sid',TPropertyValue::ensureBoolean($value)?'1':'0');
+ {
+ $value=TPropertyValue::ensureBoolean($value);
+ if ($value && $this->getCookieMode()==THttpSessionCookieMode::Only)
+ throw new TInvalidOperationException('httpsession_transid_cookieonly');
+ ini_set('session.use_trans_sid',$value?'1':'0');
+ }
}
/**