adjust session ID check to specification
The documentation says sessionIDs are between 22 and 256 chars long. A quick test only showed 26 chars in common configurations, but this should cover all possibilities.
This commit is contained in:
parent
6eb3cdf688
commit
924e477e18
|
@ -232,6 +232,7 @@ mail_setup();
|
||||||
* Makes sure the passed session cookie is valid, invalid ones are ignored an a new session ID is issued
|
* Makes sure the passed session cookie is valid, invalid ones are ignored an a new session ID is issued
|
||||||
*
|
*
|
||||||
* @link http://stackoverflow.com/a/33024310/172068
|
* @link http://stackoverflow.com/a/33024310/172068
|
||||||
|
* @link http://php.net/manual/en/session.configuration.php#ini.session.sid-length
|
||||||
*/
|
*/
|
||||||
function init_session() {
|
function init_session() {
|
||||||
global $conf;
|
global $conf;
|
||||||
|
@ -239,7 +240,7 @@ function init_session() {
|
||||||
session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true);
|
session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true);
|
||||||
|
|
||||||
// make sure the session cookie contains a valid session ID
|
// make sure the session cookie contains a valid session ID
|
||||||
if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[DOKU_SESSION_NAME])) {
|
if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{22,256}$/', $_COOKIE[DOKU_SESSION_NAME])) {
|
||||||
unset($_COOKIE[DOKU_SESSION_NAME]);
|
unset($_COOKIE[DOKU_SESSION_NAME]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue