From ab9a0b71d96032ea34621ac7063b35abea92a3a9 Mon Sep 17 00:00:00 2001 From: Rob van Son Date: Mon, 1 Apr 2013 14:36:25 +0200 Subject: [PATCH] Changed SESSION tickets to hash(SESSIONTICKET) to enable direct setting of cookies --- CGIscriptor.pl | 4 ++-- JavaScript/CGIscriptorSession.js | 2 +- Private/Login.html | 2 +- PrivateTutorial.html | 13 ++++++------- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/CGIscriptor.pl b/CGIscriptor.pl index 24d50ea..8978cea 100755 --- a/CGIscriptor.pl +++ b/CGIscriptor.pl @@ -3300,7 +3300,7 @@ sub Log_In_Access # () -> 0 = Access Allowed, Login page if access is not allowe } else { - $SESSIONTICKET = $TMPTICKET; + $SESSIONTICKET = hash_string($TMPTICKET); create_session_file("$SessionPath/$SESSIONTICKET", "$SessionPath/$LOGINTICKET", "$PasswordsPath/$userfile", $PATH_INFO); $SETCOOKIELIST{"CGIscriptorSESSION"} = "-"; }; @@ -3313,7 +3313,7 @@ sub Log_In_Access # () -> 0 = Access Allowed, Login page if access is not allowe if($CHALLENGETICKET) { # Do not log into a CHALLENGE account if the SESSION cookie is present - goto Login if $SESSIONTICKET =~ /\S/; + #goto Login if $SESSIONTICKET =~ /\S/; goto Login unless (-s "$SessionPath/$CHALLENGETICKET"); my $ticket_valid = check_ticket_validity("CHALLENGE", "$SessionPath/$CHALLENGETICKET", $REMOTE_ADDR, $PATH_INFO); goto Login unless $ticket_valid; diff --git a/JavaScript/CGIscriptorSession.js b/JavaScript/CGIscriptorSession.js index 7f1702e..b4e947b 100644 --- a/JavaScript/CGIscriptorSession.js +++ b/JavaScript/CGIscriptorSession.js @@ -274,7 +274,7 @@ function setSessionParameters() { if(!(sessionset &&sessionset.match(/[\S]/)))return false; var sessionticket = ""; - sessionticket = sessionStorage.getItem("CGIscriptorPRIVATE"); + sessionticket = hex_sha256(sessionStorage.getItem("CGIscriptorPRIVATE")); if(!sessionticket) return false; createCookie("CGIscriptorSESSION",sessionticket, 0, ""); diff --git a/Private/Login.html b/Private/Login.html index 93e0b80..9588447 100644 --- a/Private/Login.html +++ b/Private/Login.html @@ -38,7 +38,7 @@ -
+
diff --git a/PrivateTutorial.html b/PrivateTutorial.html index afcda10..891da3a 100644 --- a/PrivateTutorial.html +++ b/PrivateTutorial.html @@ -158,13 +158,12 @@ With each new user, a home directory is automatically created as a copy of the

Creating web pages

- IPADDRESS type sessions do not require any changes in web pages - after login. SESSION type sessions require JavaScript code in - the page the client lands on after login to continue. But later pages - can be plain. CHALLENGE type sessions require JavaScript code - on every single protected page (actually, only to get to the next page - after that). To add support for the login sessions to simple web pages, add the - following code to the HEAD section of each HTML file: + IPADDRESS and SESSIONtype sessions do not require + any changes in web pages after login. CHALLENGE type sessions + require JavaScript code on every single protected page (actually, only + to get to the next page after that). To add support for the login + sessions to simple web pages, add the following code to the HEAD + section of each HTML file: 

 <script type="text/javascript">
-- 
2.11.4.GIT
Username: