Started converting the code to encrypt the session_info field, and it now uses kp3 properly. This needs to be tested

2000-12-29 09:00:52 +00:00 · 2000-12-29 09:00:52 +00:00 · 0c5e127b53
commit 0c5e127b53
parent 4985bb1605
2 changed files with 8 additions and 4 deletions
--- a/phpgwapi/inc/phpgw_accounts_shared.inc.php
+++ b/phpgwapi/inc/phpgw_accounts_shared.inc.php
@ -54,7 +54,7 @@
       $phpgw_info_temp["user"]["kp3"] = "";                     // We don't want it anywhere in the
                                                                 // database for security.

-       $db->query("update phpgw_sessions set session_info='" . addslashes(serialize($phpgw_info_temp))
+       $db->query("update phpgw_sessions set session_info='" . $phpgw->crypto->encrypt($phpgw_info_temp)
                . "' where session_id='" . $phpgw_info["user"]["sessionid"] . "'",__LINE__,__FILE__);
    }

--- a/phpgwapi/inc/phpgw_session.inc.php
+++ b/phpgwapi/inc/phpgw_session.inc.php
@ -32,6 +32,10 @@
       $db  = $phpgw->db;
       $db2 = $phpgw->db;

+       $phpgw->common->key  = $kp3;
+       $phpgw->common->iv   = $phpgw_info["server"]["mcrypt_iv"];
+       $phpgw->crypto = new crypto($phpgw->common->key,$phpgw->common->iv);
+
       $db->query("select * from phpgw_sessions where session_id='$sessionid'",__LINE__,__FILE__);
       $db->next_record();
       
@ -53,7 +57,7 @@
       $phpgw_info["user"]["kp3"] = $kp3;

       $phpgw_info_flags    = $phpgw_info["flags"];
-       $phpgw_info          = unserialize($db->f("session_info"));
+       $phpgw_info          = $phpgw->crypto->decrypt($db->f("session_info"));

       $phpgw_info["flags"] = $phpgw_info_flags;

@ -113,11 +117,11 @@
       $phpgw_info["user"]["sessionid"] = md5($phpgw->common->randomstring(10));
       $phpgw_info["user"]["kp3"]       = md5($phpgw->common->randomstring(15));

-       $phpgw->common->key  = $phpgw_info["server"]["encryptkey"];
+       $phpgw->common->key  = $phpgw_info["user"]["kp3"];
       $phpgw->common->iv   = $phpgw_info["server"]["mcrypt_iv"];
       $phpgw->crypto = new crypto($phpgw->common->key,$phpgw->common->iv);

-       $phpgw_info["user"]["passwd"]    = $phpgw->common->encrypt($passwd);
+       //$phpgw_info["user"]["passwd"]    = $phpgw->common->encrypt($passwd);
 
       if ($phpgw_info["server"]["usecookies"]) {
          Setcookie("sessionid",$phpgw_info["user"]["sessionid"]);