From b1f71c1b816615bb8e38728a1c76051c1ef7517f Mon Sep 17 00:00:00 2001 From: "Christophe.Boulain" <> Date: Thu, 14 Jan 2010 12:42:44 +0000 Subject: Fixed Issue#86 --- HISTORY | 1 + framework/Exceptions/messages/messages-fr.txt | 1 + framework/Exceptions/messages/messages-id.txt | 1 + framework/Exceptions/messages/messages-zh.txt | 1 + framework/Exceptions/messages/messages.txt | 1 + framework/Web/THttpRequest.php | 6 +++--- framework/Web/THttpSession.php | 12 +++++++++--- 7 files changed, 17 insertions(+), 6 deletions(-) diff --git a/HISTORY b/HISTORY index e8256553..e602d3b7 100644 --- a/HISTORY +++ b/HISTORY @@ -1,5 +1,6 @@ Version 3.1.7 To be released BUG: Issue#80 - Inconsistencies in TRegularExpressionValidator (Christophe) +BUG: Issue#86 - THttpSession.CookieMode ignored / Session ID leak (Christophe) BUG: Issue#151 - TTextBox fails to display inital line break (Yves) BUG: Issue#153 - Bug with calls like MyActiveRedorc->withText()->withUser()->find(...) and null result (Christophe) BUG: Issue#157 - Enabled does not work properly on TActiveRadioButton/CheckBoxList controls (Bradley, Carl) diff --git a/framework/Exceptions/messages/messages-fr.txt b/framework/Exceptions/messages/messages-fr.txt index 82507b1a..5dce3812 100644 --- a/framework/Exceptions/messages/messages-fr.txt +++ b/framework/Exceptions/messages/messages-fr.txt @@ -71,6 +71,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart ne peut pas être m httpsession_gcprobability_unchangeable = THttpSession.GCProbability ne peut pas être modifié après que la session ait démarré. httpsession_gcprobability_invalid = THttpSession.GCProbability doit être un entier compris entre 0 et 100. httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID ne peut pas être modifié après que la session ait démarré. +httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID ne peut pas être utilisé quand THttpSession.CookieMode est fixé à "Only". httpsession_maxlifetime_unchangeable = THttpSession.Timeout ne peut pas être modifié après que la session ait démarré. assetmanager_basepath_invalid = TAssetManager.BasePath '{0}' est invalide. Vérifier qu'il est bien au format 'namespace' et qu'il pointe bien vers un répertoire accessible en écriture par le propriétaire du processus serveur Web diff --git a/framework/Exceptions/messages/messages-id.txt b/framework/Exceptions/messages/messages-id.txt index fb57a5ba..61699ddd 100644 --- a/framework/Exceptions/messages/messages-id.txt +++ b/framework/Exceptions/messages/messages-id.txt @@ -71,6 +71,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart tidak bisa diubah se httpsession_gcprobability_unchangeable = THttpSession.GCProbability tidak bisa diubah setelah sesi dimulai. httpsession_gcprobability_invalid = THttpSession.GCProbability harus integer antara 0 dan 100. httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID tidak bisa diubah setelah sesi dimulai. +httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only. httpsession_maxlifetime_unchangeable = THttpSession.Timeout tidak bisa diubah setelah sesi dimulai. assetmanager_basepath_invalid = TAssetManager.BasePath '{0}' tidak benar. Pastikan ia dalam bentuk namespace dan mengarah ke direktori yang bisa ditulis oleh proses server Web. diff --git a/framework/Exceptions/messages/messages-zh.txt b/framework/Exceptions/messages/messages-zh.txt index d9a61083..1859aa92 100644 --- a/framework/Exceptions/messages/messages-zh.txt +++ b/framework/Exceptions/messages/messages-zh.txt @@ -76,6 +76,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart无法被修改, httpsession_gcprobability_unchangeable = THttpSession.GCProbability无法被修改,因为session已经启动了。 httpsession_gcprobability_invalid = THttpSession.GCProbability必须是个0到100之间的整数。 httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID无法被修改,因为session已经启动了。 +httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only. httpsession_maxlifetime_unchangeable = THttpSession.Timeout无法被修改,因为session已经启动了。 assetmanager_basepath_invalid = TAssetManager.BasePath所指路径“{0}”非法。请确认它以命名空间方式指定,并且它所对应的文件目录可以被Web服务器进程写入。 diff --git a/framework/Exceptions/messages/messages.txt b/framework/Exceptions/messages/messages.txt index 425979a3..0750c38d 100644 --- a/framework/Exceptions/messages/messages.txt +++ b/framework/Exceptions/messages/messages.txt @@ -76,6 +76,7 @@ httpsession_autostart_unchangeable = THttpSession.AutoStart cannot be modified httpsession_gcprobability_unchangeable = THttpSession.GCProbability cannot be modified after the session is started. httpsession_gcprobability_invalid = THttpSession.GCProbability must be an integer between 0 and 100. httpsession_transid_unchangeable = THttpSession.UseTransparentSessionID cannot be modified after the session is started. +httpsession_transid_cookieonly = THttpSession.UseTransparentSessionID cannot be set when THttpSession.CookieMode is set to Only. httpsession_maxlifetime_unchangeable = THttpSession.Timeout cannot be modified after the session is started. assetmanager_basepath_invalid = TAssetManager.BasePath '{0}' is invalid. Make sure it is in namespace form and points to a directory writable by the Web server process. diff --git a/framework/Web/THttpRequest.php b/framework/Web/THttpRequest.php index 7100a4c5..c3926d08 100644 --- a/framework/Web/THttpRequest.php +++ b/framework/Web/THttpRequest.php @@ -105,7 +105,7 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar /** * @var boolean whether the session ID should be kept in cookie only */ - private $_cookieOnly=false; + private $_cookieOnly=null; private $_urlFormat=THttpRequestUrlFormat::Get; private $_services; private $_requestResolved=false; @@ -172,8 +172,6 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar $_SERVER['HTTP_USER_AGENT']=''; } - $this->_cookieOnly=(int)ini_get('session.use_cookies') && (int)ini_get('session.use_only_cookies'); - // Info about server variables: // PHP_SELF contains real URI (w/ path info, w/o query string) // SCRIPT_NAME is the real URI for the requested script (w/o path info and query string) @@ -568,6 +566,8 @@ class THttpRequest extends TApplicationComponent implements IteratorAggregate,Ar */ public function constructUrl($serviceID,$serviceParam,$getItems=null,$encodeAmpersand=true,$encodeGetItems=true) { + if ($this->_cookieOnly===null) + $this->_cookieOnly=(int)ini_get('session.use_cookies') && (int)ini_get('session.use_only_cookies'); $url=$this->_urlManager->constructUrl($serviceID,$serviceParam,$getItems,$encodeAmpersand,$encodeGetItems); if(defined('SID') && SID != '' && !$this->_cookieOnly) return $url . (strpos($url,'?')===false? '?' : ($encodeAmpersand?'&':'&')) . SID; diff --git a/framework/Web/THttpSession.php b/framework/Web/THttpSession.php index 96d70704..e9f815e5 100644 --- a/framework/Web/THttpSession.php +++ b/framework/Web/THttpSession.php @@ -4,7 +4,7 @@ * * @author Qiang Xue * @link http://www.pradosoft.com/ - * @copyright Copyright © 2005-2008 PradoSoft + * @copyright Copyright © 2005-2008 PradoSoft * @license http://www.pradosoft.com/license/ * @version $Id$ * @package System.Web @@ -115,7 +115,7 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar if($this->_autoStart) $this->open(); $this->_initialized=true; - $this->getApplication()->setSession($this); + $this->getApplication()->setSession($this); register_shutdown_function(array($this, "close")); } @@ -296,6 +296,7 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar { ini_set('session.use_cookies','1'); ini_set('session.use_only_cookies','1'); + ini_set('session.use_trans_sid', 0); } } } @@ -366,7 +367,12 @@ class THttpSession extends TApplicationComponent implements IteratorAggregate,Ar if($this->_started) throw new TInvalidOperationException('httpsession_transid_unchangeable'); else - ini_set('session.use_trans_sid',TPropertyValue::ensureBoolean($value)?'1':'0'); + { + $value=TPropertyValue::ensureBoolean($value); + if ($value && $this->getCookieMode()==THttpSessionCookieMode::Only) + throw new TInvalidOperationException('httpsession_transid_cookieonly'); + ini_set('session.use_trans_sid',$value?'1':'0'); + } } /** -- cgit v1.2.3