if (!$user_id) {
return '';
}
- $session_serial = $user_id.'-*-'.time().'-*-'.getStringFromServer('REMOTE_ADDR').'-*-'.getStringFromServer('HTTP_USER_AGENT');
- $session_serial_hash = md5($session_serial.forge_get_config('session_key'));
- $session_serial_token = base64_encode($session_serial).'-*-'.$session_serial_hash;
- /*
- * TODO: would be better to use HMAC-SHA256 via
- * http://www.php.net/manual/en/function.hash-hmac.php
- * or do this using Keccak (SHA-3) which is its own MAC
- */
- return $session_serial_token;
+ return session_build_session_cookie($user_id);
+ }
+
+ function session_build_session_cookie($user_id) {
+ $session_cookie_data = array(
+ $user_id,
+ getStringFromServer('REMOTE_ADDR'),
+ getStringFromServer('HTTP_USER_AGENT'),
+ );
+ $session_cookie = "" . time();
+ foreach ($session_cookie_data as $s) {
+ /* for escaping; this is not really HTML */
+ $session_cookie .= '<' . util_html_encode($s);
+ }
+ $session_cookie_hmac = hash_hmac("sha256", $session_cookie,
+ forge_get_config('session_key'), true);
+ $session_serial_cookie = base64_encode($session_cookie) . '!' .
+ base64_encode($session_cookie_hmac);
+ return $session_serial_cookie;
}
/**
* @param string Value of cookie
* @param string Domain scope (default '')
* @param string Expiration time in UNIX seconds (default 0)
- * @return true/false
*/
- function session_set_cookie($name ,$value, $domain = '', $expiration = 0) {
- if (php_sapi_name() != 'cli') {
- if ( $expiration != 0){
- setcookie($name, $value, time() + $expiration, '/', $domain, 0);
- } else {
- setcookie($name, $value, $expiration, '/', $domain, 0);
- }
+ function session_set_cookie($name, $value, $domain='', $expiration=0) {
+ return session_cookie($name, $value, $domain, $expiration);
+ }
+ function session_cookie($name, $value, $domain='', $expiration=0) {
+ if (php_sapi_name() == 'cli') {
+ return;
+ }
+ if ($expiration) {
+ $expiration = time() + $expiration;
+ }
+ /* evolvis: force secure (SSL-only) session cookies */
+ //$force_secure = true;
+ /* not (yet?) in FusionForge */
+ $force_secure = false;
+ if ($force_secure && !session_issecure()) {
+ return;
}
+ setcookie($name, $value, $expiration, '/', $domain, $force_secure, true);
+ }
+
+ /**
+ * session_redirect_uri() - Redirect browser
+ *
+ * @param string Absolute URI
+ * @return never returns
+ */
+ function session_redirect_external($url) {
+ session_redirect_uri($url);
+ }
+ function session_redirect_uri($loc) {
++ util_save_messages();
+ sysdebug_off("Status: 301 Moved Permanently", true, 301);
+ header("Location: ${loc}", true);
+ echo "\nPlease go to ${loc} instead!\n";
+ exit;
}
/**
- * session_redirect() - Redirect browser within the site
+ * session_redirect() - Redirect browser within the site and exit.
*
- * @param string Absolute path within the site
- * @return never returns
+ * @param string $loc Absolute path within the site
*/
function session_redirect($loc) {
- util_save_messages();
- session_redirect_external(util_make_url ($loc));
+ session_redirect_uri(util_make_url($loc));
+ exit;
+}
+
+/**
+ * session_redirect_external() - Redirect browser to a (potentially external) URL
+ *
+ * @param string Absolute URL, not necessarily within the site
+ * @return never returns
+ */
+function session_redirect_external($url) {
++ util_save_messages();
+ header('Location: '.$url);
+ print("\n\n");
+ exit;
}
/**