mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-04-02 01:52:10 +09:00
Add options to control session keys and SSL-only attribute
This commit is contained in:
Kijin Sung
parent
e7511cdead
commit
b43c653186
7 changed files with 43 additions and 4 deletions
|
|
@ -51,6 +51,8 @@ return array(
|
|||
'session' => array(
|
||||
'delay' => false,
|
||||
'use_db' => false,
|
||||
'use_keys' => true,
|
||||
'use_ssl' => false,
|
||||
'domain' => null,
|
||||
'path' => null,
|
||||
'lifetime' => 0,
|
||||
|
|
|
|||
|
|
@ -76,11 +76,12 @@ class Session
|
|||
|
||||
// Set session parameters.
|
||||
list($lifetime, $refresh_interval, $domain, $path) = self::_getParams();
|
||||
$ssl_only = (\RX_SSL && config('session.use_ssl')) ? true : false;
|
||||
ini_set('session.gc_maxlifetime', $lifetime + 28800);
|
||||
ini_set('session.use_cookies', 1);
|
||||
ini_set('session.use_only_cookies', 1);
|
||||
ini_set('session.use_strict_mode', 1);
|
||||
session_set_cookie_params($lifetime, $path, $domain, false, false);
|
||||
session_set_cookie_params($lifetime, $path, $domain, $ssl_only, false);
|
||||
session_name($session_name = Config::get('session.name') ?: session_name());
|
||||
|
||||
// Get session ID from POST parameter if using relaxed key checks.
|
||||
|
|
@ -109,6 +110,10 @@ class Session
|
|||
// Fetch session keys.
|
||||
list($key1, $key2, self::$_autologin_key) = self::_getKeys();
|
||||
$must_create = $must_refresh = $must_resend_keys = false;
|
||||
if (config('session.use_keys') === false)
|
||||
{
|
||||
$relax_key_checks = true;
|
||||
}
|
||||
|
||||
// Check whether the visitor uses Android webview.
|
||||
if (!isset($_SESSION['is_webview']))
|
||||
|
|
@ -1051,11 +1056,12 @@ class Session
|
|||
// Get session parameters.
|
||||
list($lifetime, $refresh_interval, $domain, $path) = self::_getParams();
|
||||
$lifetime = $lifetime ? ($lifetime + time()) : 0;
|
||||
$ssl_only = (\RX_SSL && config('session.use_ssl')) ? true : false;
|
||||
|
||||
// Set or destroy the HTTP-only key.
|
||||
if (isset($_SESSION['RHYMIX']['keys'][$domain]['key1']))
|
||||
{
|
||||
setcookie('rx_sesskey1', $_SESSION['RHYMIX']['keys'][$domain]['key1'], $lifetime, $path, $domain, false, true);
|
||||
setcookie('rx_sesskey1', $_SESSION['RHYMIX']['keys'][$domain]['key1'], $lifetime, $path, $domain, $ssl_only, true);
|
||||
$_COOKIE['rx_sesskey1'] = $_SESSION['RHYMIX']['keys'][$domain]['key1'];
|
||||
}
|
||||
else
|
||||
|
|
@ -1074,7 +1080,7 @@ class Session
|
|||
// Delete keys from subdomain.
|
||||
if (self::$_subdomain && !isset($_SESSION['RHYMIX']['keys'][self::$_subdomain]['deleted']))
|
||||
{
|
||||
setcookie(session_name(), session_id(), $lifetime, $path, $domain, false, false);
|
||||
setcookie(session_name(), session_id(), $lifetime, $path, $domain, $ssl_only, false);
|
||||
setcookie(session_name(), 'deleted', time() - 86400, $path, self::$_subdomain, false, false);
|
||||
setcookie('rx_sesskey1', 'deleted', time() - 86400, $path, self::$_subdomain, false, false);
|
||||
setcookie('rx_sesskey2', 'deleted', time() - 86400, $path, self::$_subdomain, false, false);
|
||||
|
|
@ -1095,11 +1101,12 @@ class Session
|
|||
// Get session parameters.
|
||||
list($lifetime, $refresh_interval, $domain, $path) = self::_getParams();
|
||||
$lifetime = time() + (86400 * 365);
|
||||
$ssl_only = (\RX_SSL && config('session.use_ssl')) ? true : false;
|
||||
|
||||
// Set or destroy the HTTP-only key.
|
||||
if ($autologin_key && $security_key)
|
||||
{
|
||||
setcookie('rx_autologin', $autologin_key . $security_key, $lifetime, $path, $domain, false, true);
|
||||
setcookie('rx_autologin', $autologin_key . $security_key, $lifetime, $path, $domain, $ssl_only, true);
|
||||
$_COOKIE['rx_autologin'] = $autologin_key . $security_key;
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -834,6 +834,8 @@ class adminAdminController extends admin
|
|||
Rhymix\Framework\Config::set('use_sso', $vars->use_sso === 'Y');
|
||||
Rhymix\Framework\Config::set('session.delay', $vars->delay_session === 'Y');
|
||||
Rhymix\Framework\Config::set('session.use_db', $vars->use_db_session === 'Y');
|
||||
Rhymix\Framework\Config::set('session.use_keys', $vars->use_session_keys === 'Y');
|
||||
Rhymix\Framework\Config::set('session.use_ssl', $vars->use_session_ssl === 'Y');
|
||||
Rhymix\Framework\Config::set('view.minify_scripts', $vars->minify_scripts ?: 'common');
|
||||
Rhymix\Framework\Config::set('view.concat_scripts', $vars->concat_scripts ?: 'none');
|
||||
Rhymix\Framework\Config::set('view.server_push', $vars->use_server_push === 'Y');
|
||||
|
|
|
|||
|
|
@ -571,6 +571,8 @@ class adminAdminView extends admin
|
|||
Context::set('use_rewrite', Rhymix\Framework\Config::get('use_rewrite'));
|
||||
Context::set('use_sso', Rhymix\Framework\Config::get('use_sso'));
|
||||
Context::set('delay_session', Rhymix\Framework\Config::get('session.delay'));
|
||||
Context::set('use_session_keys', Rhymix\Framework\Config::get('session.use_keys'));
|
||||
Context::set('use_session_ssl', Rhymix\Framework\Config::get('session.use_ssl'));
|
||||
Context::set('use_db_session', Rhymix\Framework\Config::get('session.use_db'));
|
||||
Context::set('minify_scripts', Rhymix\Framework\Config::get('view.minify_scripts'));
|
||||
Context::set('concat_scripts', Rhymix\Framework\Config::get('view.concat_scripts'));
|
||||
|
|
|
|||
|
|
@ -129,6 +129,10 @@ $lang->use_server_push = 'Use HTTP/2 Server Push';
|
|||
$lang->use_gzip = 'gzip Compression';
|
||||
$lang->delay_session = 'Delay session start';
|
||||
$lang->about_delay_session = 'To improve performance when using a caching proxy server such as Varnish, do not issue sessions to visitors until they log in.<br>Selecting this option may cause view counts and visitor counts to become inaccurate.';
|
||||
$lang->use_session_keys = 'Use session security keys';
|
||||
$lang->about_use_session_keys = 'Use additional security keys to guard against session theft. This setting is highly recommended if you don\'t use SSL-only sessions.<br>This setting may cause some users to become logged out.';
|
||||
$lang->use_session_ssl = 'Use SSL-only session';
|
||||
$lang->about_use_session_ssl = 'Prevent the session from being used on non-SSL pages.<br>This helps improve security if your site always uses SSL and your server is configured to redirect all non-SSL pages to SSL.';
|
||||
$lang->use_object_cache = 'Use Cache';
|
||||
$lang->cache_default_ttl = 'Cache default TTL';
|
||||
$lang->cache_host = 'Host';
|
||||
|
|
|
|||
|
|
@ -129,6 +129,10 @@ $lang->use_server_push = 'Server Push 사용';
|
|||
$lang->use_gzip = 'gzip 압축';
|
||||
$lang->delay_session = '세션 시작 지연';
|
||||
$lang->about_delay_session = 'Varnish 등의 프록시 캐싱 서버 사용시 성능 개선을 위해, 로그인하지 않은 사용자에게는 인증 세션을 부여하지 않습니다.<br>이 옵션을 선택할 경우 방문자 수 및 조회수 집계가 정확하게 이루어지지 않을 수 있습니다.';
|
||||
$lang->use_session_keys = '세션 보안키 사용';
|
||||
$lang->about_use_session_keys = '세션 탈취를 방지하기 위한 보안키를 사용합니다. SSL 전용 세션을 사용하지 않을 경우 반드시 보안키를 사용하시기를 권장합니다.<br>사용자 환경에 따라 로그인이 풀리는 문제가 발생할 수 있습니다.';
|
||||
$lang->use_session_ssl = 'SSL 전용 세션 사용';
|
||||
$lang->about_use_session_ssl = '세션을 SSL 전용으로 지정하여 SSL이 아닌 페이지에서 사용할 수 없도록 합니다.<br>SSL을 항상 사용하고, SSL이 아닌 페이지 방문시 자동으로 SSL 페이지로 리다이렉트되도록 서버가 설정되어 있는 경우<br>이 옵션을 사용하면 보안이 향상됩니다. (애드온 등을 사용하여 리다이렉트하는 경우 제외)';
|
||||
$lang->use_object_cache = '캐시 사용';
|
||||
$lang->cache_default_ttl = '캐시 기본 TTL';
|
||||
$lang->cache_host = '호스트';
|
||||
|
|
|
|||
|
|
@ -51,6 +51,24 @@
|
|||
<p class="x_help-block">{$lang->about_delay_session}</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label">{$lang->use_session_keys}</label>
|
||||
<div class="x_controls">
|
||||
<label for="use_session_keys_y" class="x_inline"><input type="radio" name="use_session_keys" id="use_session_keys_y" value="Y" checked="checked"|cond="$use_session_keys !== false" /> {$lang->cmd_yes}</label>
|
||||
<label for="use_session_keys_n" class="x_inline"><input type="radio" name="use_session_keys" id="use_session_keys_n" value="N" checked="checked"|cond="$use_session_keys === false" /> {$lang->cmd_no}</label>
|
||||
<br />
|
||||
<p class="x_help-block">{$lang->about_use_session_keys}</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label">{$lang->use_session_ssl}</label>
|
||||
<div class="x_controls">
|
||||
<label for="use_session_ssl_y" class="x_inline"><input type="radio" name="use_session_ssl" id="use_session_ssl_y" value="Y" checked="checked"|cond="$use_session_ssl && $use_ssl === 'always'" disabled="disabled"|cond="$use_ssl !== 'always'" /> {$lang->cmd_yes}</label>
|
||||
<label for="use_session_ssl_n" class="x_inline"><input type="radio" name="use_session_ssl" id="use_session_ssl_n" value="N" checked="checked"|cond="!$use_session_ssl || $use_ssl !== 'always'" disabled="disabled"|cond="$use_ssl !== 'always'" /> {$lang->cmd_no}</label>
|
||||
<br />
|
||||
<p class="x_help-block">{$lang->about_use_session_ssl}</p>
|
||||
</div>
|
||||
</div>
|
||||
<div class="x_control-group">
|
||||
<label class="x_control-label">{$lang->use_db_session} <a class="x_icon-question-sign" href="./common/manual/admin/index.html#UMAN_config_general_db_session" target="_blank">{$lang->help}</a></label>
|
||||
<div class="x_controls">
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue