From f70027ffbedce10f412868a7bf9b0b67b113f1b1 Mon Sep 17 00:00:00 2001 From: M.Gergo Date: Sun, 20 Jan 2019 11:48:48 +0100 Subject: Rev: 4423 --- mayor-orig/www/include/share/auth/base.php | 6 ++---- mayor-orig/www/include/share/session/base.php | 8 +++++--- mayor-orig/www/include/share/session/close.php | 2 ++ 3 files changed, 9 insertions(+), 7 deletions(-) (limited to 'mayor-orig/www/include/share') diff --git a/mayor-orig/www/include/share/auth/base.php b/mayor-orig/www/include/share/auth/base.php index 9b4fa21a..8ff27f5e 100644 --- a/mayor-orig/www/include/share/auth/base.php +++ b/mayor-orig/www/include/share/auth/base.php @@ -93,7 +93,7 @@ db_query($query, array('fv' => 'newSession', 'modul' => 'login', 'values' => array($sessionID, $policy)), $lr); } $now = date('Y-m-d H:i:s'); - $_SC = sessionCookieEncode($sessionID, $now); + $_SC = sessionCookieEncode($sessionID, $now); // TODO $_studyId = ($studyId=='') ? 'NULL' : $studyId; if ($studyId=='') { $query="INSERT INTO session @@ -109,9 +109,7 @@ db_query($query, array('fv' => 'newSession', 'modul' => 'login', 'values' => $v), $lr); db_close($lr); - // Megjegyzés: a sessionID elhashelése nem jelent semmiféle védelmet, így tökéletesen megfelelő az md5 is - // értékénél viszont a $now alkalmazása tökéletesen hibás, hiszen a lejárati dátumból 1:1-ben reprodukálható - + // Megjegyzés: a sessionID elhashelése nem jelent semmiféle védelmet, így tökéletesen megfelelő a gyenge hash is, de now alkalmazása hibás setcookie($_SC['name'],$_SC['value'],time()+60*60*_SESSION_MAX_TIME,'/','',_SECURECOOKIE); return $sessionID; diff --git a/mayor-orig/www/include/share/session/base.php b/mayor-orig/www/include/share/session/base.php index 706a9ef9..337c72df 100644 --- a/mayor-orig/www/include/share/session/base.php +++ b/mayor-orig/www/include/share/session/base.php @@ -115,9 +115,11 @@ db_query($q, array('fv' => 'cache', 'modul' => 'login', 'result' => 'indexed', 'values'=>$v)); } - - - + function _clearSessionCache($sessionID) { + $q = "DELETE FROM `cache` WHERE sessionID IN ('%s','%s')"; + $v = array(_SESSIONID,$sessionID); + db_query($q, array('debug'=>false,'fv' => 'cache', 'modul' => 'login', 'result' => 'indexed', 'values'=>$v)); + } ###################################################### # getBackendAttrs - az adott policy backend-jéhez tartozó attribútumok - session modul diff --git a/mayor-orig/www/include/share/session/close.php b/mayor-orig/www/include/share/session/close.php index 146a038e..2c321ef0 100644 --- a/mayor-orig/www/include/share/session/close.php +++ b/mayor-orig/www/include/share/session/close.php @@ -30,6 +30,8 @@ function closeSession($sessionID = '') { // _SESSIONID csak validUser esetén van, de mi lehet, hogy másik policy-ből jöttünk! if ($sessionID == '') $sessionID = $_REQUEST['sessionID']; + _clearSessionCache($sessionID); + unsetTokenCookies(); $q = "DELETE FROM session WHERE sessionID='%s'"; return db_query($q, array('fv' => 'closeSession', 'modul' => 'login', 'result' => 'affected rows', 'values' => array($sessionID))); } -- cgit v1.2.3