- added user IP to hash used as session id (so changed IP, different devices force a different session)
- returning false in verify, if domain is changed
- fixed "Wrong IP" message
register cookies in $_REQUEST any more by default (there's now a php.ini
variable 'request_order' to controll that, but we want to work with a
default configuraltion):
- session restore was not working, as only $_REQUEST[sessionid] was checked
- multi domain installs not working, as domain cookie was not checked
- encrypted session were not working, because kp3 cookie was not checked
--> there's now a static method egw_session::get_request($name), which
checks $_REQUEST[$name], $_COOKIE[$name] and for that Safari bug also
$_COOKIE[ucfirst($name)]
Patch is mostly created by script in egroupware/doc/fix_depricated.php in separate commit.
I do NOT advice to apply this patch to a production system (it's commited to trunk!), as the automatic modified regular expressions have a good change to break something ...
and GroupDAV. The "sessionid" get's constructed from the basic auth
credentials and is not random (as the clients dont store them).
--> speeds up the use of *DAV
--> stops *DAV handlers to created numerious sessions
- flag in session if it is encrypted to prevent calling the encryption more then once, which stalls the session-content
- egw_session::session_comit() method calls now encrypt() too, as it closes the session, before the destructor is called
- hack to fix PHP Fatal error: Cannot use string offset as an array, which happens sometime in felamimail under php5.2
- some more docu"
- it now also encrypts the egw object and egw_info array, stored in the session
- it no longer encrypts every egw_session::appsession() call, but the
whole array at once when the egw_session object gets destroyed
- mcrypt algo and mode are currently hardcoded to tripledes and ecb, as
we dont have the database connection, when they are needed. You can
add it as egw_info[server][mcrypt_{algo|mode}] in the header.inc.php
- fixed a bug, which let the session grow around 400k(!) each request
- if mcrypt or the selected algo/mode is not availible the session
encryption is switched off automatic, but an error is logged
- DONT UPDATE ON A PROCUDTION SYSTEM (for the next few days)!
- eGW support from now on only php session handling
- custom session handlers (like the memcache one) can now be
implemented as classes and dont need to change any other code
- the class get's autoloaded and the name need to be configured
eg. in the header.inc.php as $egw_info[server][session_handler]
- session restore is now enabled by default (it's way faster and
works well with php5.1+)
- a db-bases session handler follows soon
