Merge pull request #511 from AVGP/507-csrf-issue

Flexible Session handling
2026-03-03 07:13:59 +01:00 · 2014-12-01 18:56:07 +00:00
parent aaf1ce1526 4a1ba5dfe3
commit b2d13e0e30
1 changed files with 25 additions and 2 deletions
--- a/lib/settings-common.php
+++ b/lib/settings-common.php
@@ -15,12 +15,35 @@ $context = stream_context_create(array('http'=>
 	)
 ));

+// Sets up a session, either with the default dir or local tmp dir
+function session_start_safe() {
+    // Trying with the default
+    session_save_path('');
+    @session_start();
+    if(!$_SESSION['working']) $_SESSION['working'] = true;
+    session_write_close();
+    session_unset();
+    session_destroy();
+    // Let's see if that worked
+    @session_start();
+    if($_SESSION['working']) {
+        unset($_SESSION['working']);
+        return; // we've got a working session
+    } else {
+        // Create a new session in the local tmp dir instead
+        session_unset();
+        session_destroy();
+        session_save_path(dirname(__FILE__).'/../tmp');
+        session_regenerate_id(true);
+        @session_start();
+    }
+}
+
 // Start a session if we haven't already
 if(!isset($_SESSION)) {
-	session_save_path(dirname(__FILE__).'/../tmp');
 	// Make the session cookie HTTP only
 	session_set_cookie_params(0, '/', '', false, true);
-	@session_start();
+	session_start_safe();
 }

 // Set the language file, if now possible