Created
November 16, 2010 21:35
-
-
Save sminnee/702559 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/core/HTTP.php b/core/HTTP.php | |
| index 0ce1a49..dd08567 100644 | |
| --- a/core/HTTP.php | |
| +++ b/core/HTTP.php | |
| @@ -346,7 +346,7 @@ class HTTP { | |
| $responseHeaders["Cache-Control"] = "max-age=" . self::$cache_age . ", must-revalidate"; | |
| $responseHeaders["Pragma"] = ""; | |
| } else { | |
| - $responseHeaders["Cache-Control"] = "no-cache, max-age=0, must-revalidate"; | |
| + $responseHeaders['Vary'] = 'Cookie'; | |
| } | |
| if(self::$modification_date && self::$cache_age > 0) { | |
| diff --git a/core/Session.php b/core/Session.php | |
| index 1125184..7cdf5a4 100644 | |
| --- a/core/Session.php | |
| +++ b/core/Session.php | |
| @@ -371,7 +371,12 @@ class Session { | |
| * Only save the changes, so that anyone manipulating $_SESSION directly doesn't get burned. | |
| */ | |
| public function inst_save() { | |
| - $this->recursivelyApply($this->changedData, $_SESSION); | |
| + if($this->changedData) { | |
| + if(!isset($_SESSION)) { | |
| + Session::start(); | |
| + } | |
| + $this->recursivelyApply($this->changedData, $_SESSION); | |
| + } | |
| } | |
| /** | |
| diff --git a/core/control/Director.php b/core/control/Director.php | |
| index 3a8bb40..a33322f 100755 | |
| --- a/core/control/Director.php | |
| +++ b/core/control/Director.php | |
| @@ -119,6 +119,9 @@ class Director { | |
| if(isset($_SERVER['HTTP_REFERER'])) $req->addHeader("Referer", $_SERVER['HTTP_REFERER']); | |
| // Load the session into the controller | |
| + | |
| + if(!isset($_SESSION) && isset($_COOKIE['PHPSESSID'])) Session::start(); | |
| + | |
| $session = new Session(isset($_SESSION) ? $_SESSION : null); | |
| $result = Director::handleRequest($req, $session); | |
| diff --git a/main.php b/main.php | |
| index 85de63a..24fcf03 100644 | |
| --- a/main.php | |
| +++ b/main.php | |
| @@ -65,8 +65,6 @@ if (function_exists('mb_http_output')) { | |
| mb_internal_encoding('UTF-8'); | |
| } | |
| -Session::start(); | |
| - | |
| // IIS will sometimes generate this. | |
| if(!empty($_SERVER['HTTP_X_ORIGINAL_URL'])) { | |
| $_SERVER['REQUEST_URI'] = $_SERVER['HTTP_X_ORIGINAL_URL']; |
Yes, stojg, that's true, but there are two workarounds:
- Disable CSRF on the comment form.
- Require users to click something before the comment form is loaded. It could be on a separate page or loaded via an ajax request.
Similar rules apply for things like having a log-in form in the corner of the screen. However, for a log-in form there's probably not too much risk in having CSRF disabled, because an attacker would need to know the user's username & password to actually do anything nasty.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed that this will of course not prevent setting a session when having a comment form, due to the CSRF protection in Form.php