Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.0] Remove PHPSESSID #8399

Open
wants to merge 4 commits into
base: release-3.0
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 11 additions & 33 deletions Sources/QueryString.php
Original file line number Diff line number Diff line change
Expand Up @@ -398,36 +398,25 @@ public static function isFilteredRequest(array $value_list, string $var): bool
}

/**
* Rewrite URLs to include the session ID.
* Rewrite URLs for the queryless URLs option.
*
* What it does:
* - rewrites the URLs outputted to have the session ID, if the user
* is not accepting cookies and is using a standard web browser.
* - handles rewriting URLs for the queryless URLs option.
* - can be turned off entirely by setting Config::$scripturl to an empty
* string, ''. (it wouldn't work well like that anyway.)
* - because of bugs in certain builds of PHP, does not function in
* versions lower than 4.3.0 - please upgrade if this hurts you.
*
* @param string $buffer The unmodified output buffer.
* @return string The modified buffer.
*/
public static function ob_sessrewrite(string $buffer): string
{
// PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now.
$sid = defined('SID') ? @constant('SID') : null;

// If Config::$scripturl is set to nothing, or the SID is not defined (SSI?) just quit.
if (Config::$scripturl == '' || !isset($sid)) {
// If Config::$scripturl is set to nothing, just quit.
if (Config::$scripturl == '') {
return $buffer;
}

// Do nothing if the session is cookied, or they are a crawler - guests are caught by redirectexit().
if (empty($_COOKIE) && $sid != '' && !BrowserDetector::isBrowser('possibly_robot')) {
$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote(Config::$scripturl, '/') . '(?!\?' . preg_quote($sid, '/') . ')\??/', '"' . Config::$scripturl . '?' . $sid . '&amp;', $buffer);
}
// Debugging templates, are we?
elseif (isset($_GET['debug'])) {
if (isset($_GET['debug'])) {
$buffer = preg_replace('/(?<!<link rel="canonical" href=)"' . preg_quote(Config::$scripturl, '/') . '\??/', '"' . Config::$scripturl . '?debug;', $buffer);
}

Expand All @@ -443,24 +432,13 @@ public static function ob_sessrewrite(string $buffer): string
Sapi::isOS([Sapi::SERVER_APACHE, Sapi::SERVER_LIGHTTPD, Sapi::SERVER_LITESPEED])
)
) {
// Let's do something special for session ids!
if ($sid != '') {
$buffer = preg_replace_callback(
'~"' . preg_quote(Config::$scripturl, '~') . '\?(?:' . $sid . '(?:;|&|&amp;))((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
function ($m) {
return '"' . Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html?' . $sid . ($m[2] ?? '') . '"';
},
$buffer,
);
} else {
$buffer = preg_replace_callback(
'~"' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
function ($m) {
return '"' . Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . ($m[2] ?? '') . '"';
},
$buffer,
);
}
$buffer = preg_replace_callback(
'~"' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?"~',
function ($m) {
return '"' . Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . ($m[2] ?? '') . '"';
},
$buffer,
);
}

// Return the changed buffer.
Expand Down
7 changes: 5 additions & 2 deletions Sources/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,11 @@ public function read(string $session_id): string
*/
public function write(string $session_id, string $data): bool
{

// Don't bother writing the session if cookies are diabled
sbulen marked this conversation as resolved.
Show resolved Hide resolved
if (empty($_COOKIE))
return true;

if (preg_match('~^[A-Za-z0-9,-]{16,64}$~', $session_id) == 0) {
return false;
}
Expand Down Expand Up @@ -189,9 +194,7 @@ public static function load(): void
{
// Attempt to change a few PHP settings.
@ini_set('session.use_cookies', '1');
@ini_set('session.use_only_cookies', '0');
@ini_set('url_rewriter.tags', '');
@ini_set('session.use_trans_sid', '0');
@ini_set('arg_separator.output', '&amp;');

// Allows mods to change/add PHP settings
Expand Down
33 changes: 8 additions & 25 deletions Sources/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -2236,15 +2236,8 @@ public static function redirectexit(string $setLocation = '', bool $refresh = fa
$setLocation = Config::$scripturl . ($setLocation != '' ? '?' . $setLocation : '');
}

// PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now.
$sid = defined('SID') ? @constant('SID') : null;

// Put the session ID in.
if (isset($sid) && $sid != '') {
$setLocation = preg_replace('/^' . preg_quote(Config::$scripturl, '/') . '(?!\?' . preg_quote($sid, '/') . ')\??/', Config::$scripturl . '?' . $sid . ';', $setLocation);
}
// Keep that debug in their for template debugging!
elseif (isset($_GET['debug'])) {
if (isset($_GET['debug'])) {
$setLocation = preg_replace('/^' . preg_quote(Config::$scripturl, '/') . '\??/', Config::$scripturl . '?debug;', $setLocation);
}

Expand All @@ -2259,23 +2252,13 @@ public static function redirectexit(string $setLocation = '', bool $refresh = fa
Sapi::isSoftware([Sapi::SERVER_APACHE, Sapi::SERVER_LIGHTTPD, Sapi::SERVER_LITESPEED])
)
) {
if (isset($sid) && $sid != '') {
$setLocation = preg_replace_callback(
'~^' . preg_quote(Config::$scripturl, '~') . '\?(?:' . $sid . '(?:;|&|&amp;))((?:board|topic)=[^#]+?)(#[^"]*?)?$~',
function ($m) {
return Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html?' . $sid . (isset($m[2]) ? "{$m[2]}" : '');
},
$setLocation,
);
} else {
$setLocation = preg_replace_callback(
'~^' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?$~',
function ($m) {
return Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . (isset($m[2]) ? "{$m[2]}" : '');
},
$setLocation,
);
}
$setLocation = preg_replace_callback(
'~^' . preg_quote(Config::$scripturl, '~') . '\?((?:board|topic)=[^#"]+?)(#[^"]*?)?$~',
function ($m) {
return Config::$scripturl . '/' . strtr("{$m[1]}", '&;=', '//,') . '.html' . (isset($m[2]) ? "{$m[2]}" : '');
},
$setLocation,
);
}

// The request was from ajax/xhr/other api call, append ajax ot the url.
Expand Down
Loading