holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* eSync: limit creation of sessions to one per device and user (like already done for CalDAV)

Browse Source
This commit is contained in:
Ralf Becker 2014-08-25 14:21:21 +00:00
parent e9ee3b46ce
commit 7faf1d7a2d
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
phpgwapi/inc/class.egw_session.inc.php
View File

@ -787,11 +787,15 @@ class egw_session
// for WebDAV and GroupDAV we use a pseudo sessionid created from md5(user:passwd) // for WebDAV and GroupDAV we use a pseudo sessionid created from md5(user:passwd)
// --> allows this stateless protocolls which use basic auth to use sessions! // --> allows this stateless protocolls which use basic auth to use sessions!
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']) && if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']) &&
in_array(basename($_SERVER['SCRIPT_NAME']),array('webdav.php','groupdav.php','remote.php'))) (in_array(basename($_SERVER['SCRIPT_NAME']),array('webdav.php','groupdav.php','remote.php')) ||
$_SERVER['SCRIPT_NAME'] === '/Microsoft-Server-ActiveSync'))
{ {
// we generate a pseudo-sessionid from the basic auth credentials // we generate a pseudo-sessionid from the basic auth credentials
$sessionid = md5($_SERVER['PHP_AUTH_USER'].':'.$_SERVER['PHP_AUTH_PW'].':'.$_SERVER['HTTP_HOST'].':'. $sessionid = md5($_SERVER['PHP_AUTH_USER'].':'.$_SERVER['PHP_AUTH_PW'].':'.$_SERVER['HTTP_HOST'].':'.
EGW_SERVER_ROOT.':'.self::getuser_ip().':'.filemtime(EGW_SERVER_ROOT.'/phpgwapi/setup/setup.inc.php')); EGW_SERVER_ROOT.':'.self::getuser_ip().':'.filemtime(EGW_SERVER_ROOT.'/phpgwapi/setup/setup.inc.php').
// for ActiveSync we add the DeviceID
(isset($_GET['DeviceId']) && $_SERVER['SCRIPT_NAME'] === '/Microsoft-Server-ActiveSync' ? ':'.$_GET['DeviceId'] : ''));
//error_log(__METHOD__."($only_basic_auth) HTTP_HOST=$_SERVER[HTTP_HOST], PHP_AUTH_USER=$_SERVER[PHP_AUTH_USER], DeviceId=$_GET[DeviceId]: sessionid=$sessionid");
} }
// same for digest auth // same for digest auth
elseif (isset($_SERVER['PHP_AUTH_DIGEST']) && elseif (isset($_SERVER['PHP_AUTH_DIGEST']) &&