fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-30 16:49:58 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix miscellaneous bugs and improve security of Session class

Browse source
This commit is contained in:
Kijin Sung 2016-08-19 23:07:11 +09:00
parent 02a45ece9a
commit ab3d1b5fd6
1 changed files with 40 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

52
common/framework/session.php
View file

@ -94,17 +94,18 @@ class Session
// Validate the HTTP key. // Validate the HTTP key.
if (isset($_SESSION['RHYMIX']) && $_SESSION['RHYMIX']) if (isset($_SESSION['RHYMIX']) && $_SESSION['RHYMIX'])
{ {
if ($_SESSION['RHYMIX']['keys'][$domain]['key1'] === $key1) if ($_SESSION['RHYMIX']['keys'][$domain]['key1'] === $key1 && $key1 !== null)
{ {
// OK // OK
} }
elseif ($_SESSION['RHYMIX']['keys'][$domain]['key1_prev'] === $key1) elseif ($_SESSION['RHYMIX']['keys'][$domain]['key1_prev'] === $key1 && $key1 !== null)
{ {
return 2;
$must_resend_keys = true; $must_resend_keys = true;
} }
elseif (!$relax_key_checks) elseif (!$relax_key_checks)
{ {
unset($_SESSION['RHYMIX']); $_SESSION = array();
$must_create = true; $must_create = true;
} }
} }
@ -120,17 +121,17 @@ class Session
{ {
$must_refresh = true; $must_refresh = true;
} }
elseif ($_SESSION['RHYMIX']['keys'][$domain]['key2'] === $key2) elseif ($_SESSION['RHYMIX']['keys'][$domain]['key2'] === $key2 && $key2 !== null)
{ {
// OK // OK
} }
elseif ($_SESSION['RHYMIX']['keys'][$domain]['key2_prev'] === $key2) elseif ($_SESSION['RHYMIX']['keys'][$domain]['key2_prev'] === $key2 && $key2 !== null)
{ {
$must_resend_keys = true; $must_resend_keys = true;
} }
elseif (!$relax_key_checks) elseif (!$relax_key_checks)
{ {
unset($_SESSION['RHYMIX']); $_SESSION = array();
$must_create = true; $must_create = true;
} }
} }
@ -259,8 +260,10 @@ class Session
{ {
unset($_SESSION['RHYMIX']); unset($_SESSION['RHYMIX']);
self::$_started = false; self::$_started = false;
self::$_member_info = false;
self::_setKeys(); self::_setKeys();
session_destroy(); session_destroy();
return true;
} }
/** /**
@ -285,7 +288,8 @@ class Session
$_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = $member_srl; $_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = $member_srl;
$_SESSION['is_logged'] = (bool)$member_srl; $_SESSION['is_logged'] = (bool)$member_srl;
self::refresh(); self::$_member_info = false;
return self::refresh();
} }
/** /**
@ -299,7 +303,8 @@ class Session
{ {
$_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = false; $_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = false;
$_SESSION['is_logged'] = false; $_SESSION['is_logged'] = false;
self::destroy(); self::$_member_info = false;
return self::destroy();
} }
/** /**
@ -391,13 +396,33 @@ class Session
} }
// Create a member info object. // Create a member info object.
if (!self::$_member_info) if (!self::$_member_info || self::$_member_info->member_srl != $member_srl)
{ {
!self::$_member_info = getModel('member')->getMemberInfoByMemberSrl($member_srl); self::$_member_info = getModel('member')->getMemberInfoByMemberSrl($member_srl);
} }
// Return the member info object. // Return the member info object.
return self::$_member_info; if (self::$_member_info == new \stdClass)
{
return false;
}
else
{
return self::$_member_info;
}
}
/**
* Set the member info.
*
* This method is for debugging and testing purposes only.
*
* @param object $member_info
* @return void
*/
public static function setMemberInfo($member_info)
{
self::$_member_info = $member_info;
} }
/** /**
@ -557,7 +582,7 @@ class Session
public static function decrypt($ciphertext) public static function decrypt($ciphertext)
{ {
$key = $_SESSION['RHYMIX']['secret'] . Config::get('crypto.encryption_key'); $key = $_SESSION['RHYMIX']['secret'] . Config::get('crypto.encryption_key');
return Security::encrypt($ciphertext, $key); return Security::decrypt($ciphertext, $key);
} }
/** /**
@ -595,6 +620,7 @@ class Session
{ {
$key2 = $_COOKIE['rx_sesskey2']; $key2 = $_COOKIE['rx_sesskey2'];
} }
return array($key1, $key1 === null ? null : $key2); return array($key1, $key1 === null ? null : $key2);
} }
@ -627,5 +653,7 @@ class Session
setcookie('rx_sesskey2', $_SESSION['RHYMIX']['keys'][$domain]['key2'], $lifetime, $path, $domain, true, true); setcookie('rx_sesskey2', $_SESSION['RHYMIX']['keys'][$domain]['key2'], $lifetime, $path, $domain, true, true);
$_COOKIE['rx_sesskey2'] = $_SESSION['RHYMIX']['keys'][$domain]['key2']; $_COOKIE['rx_sesskey2'] = $_SESSION['RHYMIX']['keys'][$domain]['key2'];
} }
return true;
} }
} }