fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-04 17:44:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

Rename session.override_domains to session.conflict_domains

Browse source 
- 설정 이름을 바꾸어 기존에 설정된 것 무효화
- 도메인 없이 setcookie()하는 부분을 모두 찾아 도메인 지정
This commit is contained in:
Kijin Sung 2020-03-30 23:02:14 +09:00
parent 1d11d4fa1e
commit 95f0caafcc
1 changed files with 17 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

30
common/framework/session.php
View file

@ -295,7 +295,7 @@ class Session
if(!$is_default_domain && !\Context::get('sso_response') && $_COOKIE['sso'] !== md5($current_domain)) if(!$is_default_domain && !\Context::get('sso_response') && $_COOKIE['sso'] !== md5($current_domain))
{ {
// Set sso cookie to prevent multiple simultaneous SSO validation requests. // Set sso cookie to prevent multiple simultaneous SSO validation requests.
setcookie('sso', md5($current_domain), 0, '/', null, !!config('session.use_ssl'), true); setcookie('sso', md5($current_domain), 0, '/', $domain, !!config('session.use_ssl'), true);
// Redirect to the default site. // Redirect to the default site.
$sso_request = Security::encrypt($current_url); $sso_request = Security::encrypt($current_url);
@ -501,10 +501,10 @@ class Session
// Delete all cookies. // Delete all cookies.
self::_setKeys(); self::_setKeys();
self::destroyAutologinKeys(); self::destroyAutologinKeys();
setcookie(session_name(), 'deleted', time() - 86400, $path, null, false, false); setcookie(session_name(), 'deleted', time() - 86400, $path, $domain, false, false);
setcookie('xe_logged', 'deleted', time() - 86400, $path, null, false, false); setcookie('xe_logged', 'deleted', time() - 86400, $path, $domain, false, false);
setcookie('xeak', 'deleted', time() - 86400, $path, null, false, false); setcookie('xeak', 'deleted', time() - 86400, $path, $domain, false, false);
setcookie('sso', 'deleted', time() - 86400, $path, null, false, false); setcookie('sso', 'deleted', time() - 86400, $path, $domain, false, false);
self::destroyCookiesFromConflictingDomains(array('xe_logged', 'xeak', 'sso')); self::destroyCookiesFromConflictingDomains(array('xe_logged', 'xeak', 'sso'));
unset($_COOKIE[session_name()]); unset($_COOKIE[session_name()]);
unset($_COOKIE['rx_autologin']); unset($_COOKIE['rx_autologin']);
@ -1084,19 +1084,19 @@ class Session
// Set or destroy the HTTP-only key. // Set or destroy the HTTP-only key.
if (isset($_SESSION['RHYMIX']['keys'][$domain]['key1'])) if (isset($_SESSION['RHYMIX']['keys'][$domain]['key1']))
{ {
setcookie('rx_sesskey1', $_SESSION['RHYMIX']['keys'][$domain]['key1'], $lifetime, $path, null, $ssl_only, true); setcookie('rx_sesskey1', $_SESSION['RHYMIX']['keys'][$domain]['key1'], $lifetime, $path, $domain, $ssl_only, true);
$_COOKIE['rx_sesskey1'] = $_SESSION['RHYMIX']['keys'][$domain]['key1']; $_COOKIE['rx_sesskey1'] = $_SESSION['RHYMIX']['keys'][$domain]['key1'];
} }
else else
{ {
setcookie('rx_sesskey1', 'deleted', time() - 86400, $path); setcookie('rx_sesskey1', 'deleted', time() - 86400, $path, $domain);
unset($_COOKIE['rx_sesskey1']); unset($_COOKIE['rx_sesskey1']);
} }
// Set the HTTPS-only key. // Set the HTTPS-only key.
if (\RX_SSL && isset($_SESSION['RHYMIX']['keys'][$domain]['key2'])) if (\RX_SSL && isset($_SESSION['RHYMIX']['keys'][$domain]['key2']))
{ {
setcookie('rx_sesskey2', $_SESSION['RHYMIX']['keys'][$domain]['key2'], $lifetime, $path, null, true, true); setcookie('rx_sesskey2', $_SESSION['RHYMIX']['keys'][$domain]['key2'], $lifetime, $path, $domain, true, true);
$_COOKIE['rx_sesskey2'] = $_SESSION['RHYMIX']['keys'][$domain]['key2']; $_COOKIE['rx_sesskey2'] = $_SESSION['RHYMIX']['keys'][$domain]['key2'];
} }
@ -1122,7 +1122,7 @@ class Session
// Set the autologin keys. // Set the autologin keys.
if ($autologin_key && $security_key) if ($autologin_key && $security_key)
{ {
setcookie('rx_autologin', $autologin_key . $security_key, $lifetime, $path, null, $ssl_only, true); setcookie('rx_autologin', $autologin_key . $security_key, $lifetime, $path, $domain, $ssl_only, true);
self::destroyCookiesFromConflictingDomains(array('rx_autologin')); self::destroyCookiesFromConflictingDomains(array('rx_autologin'));
$_COOKIE['rx_autologin'] = $autologin_key . $security_key; $_COOKIE['rx_autologin'] = $autologin_key . $security_key;
return true; return true;
@ -1156,7 +1156,7 @@ class Session
} }
// Delete the autologin cookie. // Delete the autologin cookie.
setcookie('rx_autologin', 'deleted', time() - 86400, $path, null, false, false); setcookie('rx_autologin', 'deleted', time() - 86400, $path, $domain, false, false);
self::destroyCookiesFromConflictingDomains(array('rx_autologin')); self::destroyCookiesFromConflictingDomains(array('rx_autologin'));
unset($_COOKIE['rx_autologin']); unset($_COOKIE['rx_autologin']);
return $result; return $result;
@ -1211,15 +1211,19 @@ class Session
*/ */
public static function destroyCookiesFromConflictingDomains(array $cookies) public static function destroyCookiesFromConflictingDomains(array $cookies)
{ {
$override_domains = config('session.override_domains'); static $conflict_domains = null;
if (!$override_domains) if ($conflict_domains === null)
{
$conflict_domains = config('session.conflict_domains') ?: array();
}
if (!count($conflict_domains))
{ {
return false; return false;
} }
foreach ($cookies as $cookie) foreach ($cookies as $cookie)
{ {
foreach ($override_domains as $domain) foreach ($conflict_domains as $domain)
{ {
setcookie($cookie, 'deleted', time() - 86400, $path, $domain); setcookie($cookie, 'deleted', time() - 86400, $path, $domain);
} }