fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-12 13:32:16 +09:00
Code Issues Projects Releases Packages Wiki Activity

Do not check security keys if session was started on Android webview

Browse source
This commit is contained in:
Kijin Sung 2017-02-13 16:53:30 +09:00
parent ba925150a3
commit aeb42891b0
1 changed files with 11 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

14
common/framework/session.php
View file

@ -110,6 +110,12 @@ class Session
list($key1, $key2, self::$_autologin_key) = self::_getKeys(); list($key1, $key2, self::$_autologin_key) = self::_getKeys();
$must_create = $must_refresh = $must_resend_keys = false; $must_create = $must_refresh = $must_resend_keys = false;
// Check whether the visitor uses Android webview.
if (!isset($_SESSION['is_webview']))
{
$_SESSION['is_webview'] = UA::getBrowserInfo()->browser === 'Android' ? true : false;
}
// Validate the HTTP key. // Validate the HTTP key.
if (isset($_SESSION['RHYMIX']) && $_SESSION['RHYMIX']) if (isset($_SESSION['RHYMIX']) && $_SESSION['RHYMIX'])
{ {
@ -125,7 +131,7 @@ class Session
{ {
$must_resend_keys = true; $must_resend_keys = true;
} }
elseif (!$relax_key_checks) elseif (!$relax_key_checks && !$_SESSION['is_webview'])
{ {
// Hacked session! Destroy everything. // Hacked session! Destroy everything.
trigger_error('Session is invalid (missing key 1)', \E_USER_WARNING); trigger_error('Session is invalid (missing key 1)', \E_USER_WARNING);
@ -154,7 +160,7 @@ class Session
{ {
$must_resend_keys = true; $must_resend_keys = true;
} }
elseif (!$relax_key_checks) elseif (!$relax_key_checks && !$_SESSION['is_webview'])
{ {
// Hacked session! Destroy everything. // Hacked session! Destroy everything.
trigger_error('Session is invalid (missing key 2)', \E_USER_WARNING); trigger_error('Session is invalid (missing key 2)', \E_USER_WARNING);
@ -181,6 +187,7 @@ class Session
$_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = false; $_SESSION['RHYMIX']['login'] = $_SESSION['member_srl'] = false;
$must_create = true; $must_create = true;
} }
var_dump($_SESSION);
// Create or refresh the session if needed. // Create or refresh the session if needed.
if ($must_create) if ($must_create)
@ -356,6 +363,7 @@ class Session
$_SESSION['RHYMIX']['timezone'] = DateTime::getTimezoneForCurrentUser(); $_SESSION['RHYMIX']['timezone'] = DateTime::getTimezoneForCurrentUser();
$_SESSION['RHYMIX']['secret'] = Security::getRandom(32, 'alnum'); $_SESSION['RHYMIX']['secret'] = Security::getRandom(32, 'alnum');
$_SESSION['RHYMIX']['tokens'] = array(); $_SESSION['RHYMIX']['tokens'] = array();
$_SESSION['is_webview'] = UA::getBrowserInfo()->browser === 'Android' ? true : false;
$_SESSION['is_logged'] = false; $_SESSION['is_logged'] = false;
$_SESSION['is_admin'] = ''; $_SESSION['is_admin'] = '';
@ -1033,7 +1041,7 @@ class Session
unset($_COOKIE['rx_sesskey1']); unset($_COOKIE['rx_sesskey1']);
} }
// Set or delete the HTTPS-only key. // Set the HTTPS-only key.
if (\RX_SSL && isset($_SESSION['RHYMIX']['keys'][$domain]['key2'])) if (\RX_SSL && isset($_SESSION['RHYMIX']['keys'][$domain]['key2']))
{ {
setcookie('rx_sesskey2', $_SESSION['RHYMIX']['keys'][$domain]['key2'], $lifetime, $path, $domain, true, true); setcookie('rx_sesskey2', $_SESSION['RHYMIX']['keys'][$domain]['key2'], $lifetime, $path, $domain, true, true);