Changeset 14989 for branches/rel

Timestamp:

2007/06/28 16:43:42 (16 years ago)

Author:

adati

Message:

CSRF対策：セッションにuniqidを持たせるように修正

File:

• branches/rel/data/class/SC_Session.php (modified) (4 diffs)

branches/rel/data/class/SC_Session.php

@@ -13 +13 @@
     var $sid;           // ¥»¥Ã¥·¥ç¥óID
     var $member_id;     // ¥í¥°¥¤¥ó¥æ¡¼¥¶¤Î¼ç¥­¡¼
-
+    var $uniqid;         // ¥Ú¡¼¥¸Á«°Ü¤ÎÀµÅöÀ­¥Á¥§¥Ã¥¯¤Ë»ÈÍÑ
+    
     /* ¥³¥ó¥¹¥È¥é¥¯¥¿ */
     function SC_Session() {
@@ -23 +24 @@
             $this->sid = session_id();
             $this->cert = $_SESSION['cert'];
-            $this->login_id = $_SESSION['login_id'];
+            $this->login_id  = $_SESSION['login_id'];
             $this->authority = $_SESSION['authority'];  // ´ÉÍý¼Ô:0, °ìÈÌ:1, ±ÜÍ÷:2
             $this->member_id = $_SESSION['member_id'];
+            $this->uniqid    = $_SESSION['uniq_id'];
+            
             // ¥í¥°¤Ëµ­Ï¿¤¹¤ë
             gfPrintLog("access : user=".$this->login_id." auth=".$this->authority." sid=".$this->sid);
@@ -64 +67 @@
     }
     
+    /** ¥æ¥Ë¡¼¥¯ID¤Î¼èÆÀ **/ 
+    function getUniqId() {
+        // ¥æ¥Ë¡¼¥¯ID¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï¥»¥Ã¥È¤¹¤ë¡£
+        if( empty($_SESSION['uniqid']) ) {
+            $this->setUniqId();
+        }
+        return $this->GetSession('uniqid');
+    }
+    
+    /** ¥æ¥Ë¡¼¥¯ID¤Î¥»¥Ã¥È **/ 
+    function setUniqId() {
+        // ͽ¬¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¥é¥ó¥À¥àʸ»úÎó¤òÉÕÍ¿¤¹¤ë¡£
+        $this->SetSession('uniqid', sfGetUniqRandomId());
+    }
+    
     /* ¥»¥Ã¥·¥ç¥ó¤ÎÇË´þ */
     function EndSession() {
@@ -87 +105 @@
         unset($_SESSION['authority']);
         unset($_SESSION['member_id']);
+        unset($_SESSION['uniqid']);
         // ¥í¥°¤Ëµ­Ï¿¤¹¤ë
         gfPrintLog("logout : user=".$this->login_id." auth=".$this->authority." sid=".$this->sid);