Sophie: joomla-1.0.13-2mdv2008.0 src

joomla-1.0.13-2mdv2008.0.src.rpm

diff -Naur joomla-1.0.13/administrator/index.php joomla-1.0.13.oden/administrator/index.php
--- joomla-1.0.13/administrator/index.php	2007-07-21 11:29:01.000000000 +0200
+++ joomla-1.0.13.oden/administrator/index.php	2007-08-10 18:17:00.000000000 +0200
@@ -107,13 +107,13 @@
 			mosErrorAlert("Incorrect Username, Password, or Access Level.  Please try again", "document.location.href='index.php'");
 		}
 
-		session_name( md5( $mosConfig_live_site ) );
-		session_start();
-
 		// construct Session ID
 		$logintime	= time();
 		$session_id = md5( $my->id . $my->username . $my->usertype . $logintime );
 
+		session_name( md5( $mosConfig_live_site ) );
+		session_id( $session_id );
+		session_start();
 
 		// add Session ID entry to DB
 		$query = "INSERT INTO #__session"
diff -Naur joomla-1.0.13/includes/joomla.php joomla-1.0.13.oden/includes/joomla.php
--- joomla-1.0.13/includes/joomla.php	2007-07-21 11:29:11.000000000 +0200
+++ joomla-1.0.13.oden/includes/joomla.php	2007-08-10 18:40:00.000000000 +0200
@@ -767,6 +767,12 @@
 		$session_id		= mosGetParam( $_SESSION, 'session_id', '' );
 		$logintime 		= mosGetParam( $_SESSION, 'session_logintime', '' );
 
+		if ($session_id != session_id()) {
+			// session id does not correspond to required session format
+			echo "<script>document.location.href='index.php?mosmsg=Invalid Session'</script>\n";
+			exit();
+		}
+
 		// check to see if session id corresponds with correct format
 		if ($session_id == md5( $my->id . $my->username . $my->usertype . $logintime )) {
 			// if task action is to `save` or `apply` complete action before doing session checks.
@@ -789,25 +795,11 @@
 				$this->_db->setQuery( $query );
 				$this->_db->query();
 
-				// destroy the old session
-				$oldSession	= $_SESSION;
-				session_destroy();
-
-				// create a clean session
 				$current_time	= time();
-				$new_session_id = md5( $my->id . $my->username . $my->usertype . $current_time );
-				session_id($new_session_id);
-				session_start();
-
-				// restore the old session state with a new id
-				$_SESSION						= $oldSession;
-				$_SESSION['session_id'] 		= $new_session_id;
-				$_SESSION['session_logintime']	= $current_time;
 
 				// update session timestamp
 				$query = "UPDATE #__session"
 				. "\n SET time = " . $this->_db->Quote( $current_time )
-				. "\n , session_id = " . $this->_db->Quote( $new_session_id )
 				. "\n WHERE session_id = " . $this->_db->Quote( $session_id )
 				;
 				$this->_db->setQuery( $query );
@@ -819,7 +811,7 @@
 				// check against db record of session
 				$query = "SELECT COUNT( session_id )"
 				. "\n FROM #__session"
-				. "\n WHERE session_id = " . $this->_db->Quote( $new_session_id )
+				. "\n WHERE session_id = " . $this->_db->Quote( $session_id )
 				. "\n AND username = ". $this->_db->Quote( $my->username )
 				. "\n AND userid = ". intval( $my->id )
 				;