header('Content-type: text/html; charset=UTF-8');
// Define default location
if (!defined('BASE_PATH')) {
    $base = str_replace('\\', '/', dirname(dirname(dirname(dirname(__FILE__)))));
    define('BASE_PATH', $base);
}
// Include general configuration
/*MARKER*/
require_once BASE_PATH . '/lib/sitemap.php';
class FbX extends CcmsAjaxFbException
{
}
// nasty way to do 'shorthand in PHP -- I do miss my #define macros! :'-|
// Some security functions
if (!checkAuth()) {
    die_and_goto_url(null, $ccms['lang']['auth']['featnotallowed']);
}
// set jpeg quality for the thumbnails; turns out they are quite reasonable @ 70% quality (and still way smaller than @ 100%)
define('THUMBNAIL_JPEG_QUALITY', 70);
// Set default variables
$album_name = getPOSTparam4Filename('album');
$page_id = getGETparam4IdOrNumber('page_id');
$do_action = getGETparam4IdOrNumber('action');
/**
 *
 * Create a new album
 *
 */
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'create-album') {
    FbX::SetFeedbackLocation('lightbox.Manage.php', 'page_id=' . $page_id);
    try {
示例#2
0
             $_SESSION['ccms_isSwitchedUser'] = false;
             $_SESSION['ccms_userID'] = $row['userID'];
             $_SESSION['ccms_userName'] = $row['userName'];
             $_SESSION['ccms_userFirst'] = $row['userFirst'];
             $_SESSION['ccms_userLast'] = $row['userLast'];
             $_SESSION['ccms_userLevel'] = $row['userLevel'];
             // [i_a] fix for session faking/hijack security issue:
             // Setting safety variables as well: used for checkAuth() during the session.
             SetAuthSafety();
             unset($logmsg);
             // Return functions result
             header('Location: ' . makeAbsoluteURI($cfg['rootdir'] . 'admin/index.php'));
             exit;
         }
     }
     die_and_goto_url(null, $logmsg);
 }
 // Unset all of the session variables.
 $_SESSION = array();
 // Destroy session
 if (ini_get('session.use_cookies')) {
     $params = session_get_cookie_params();
     if (!empty($params['ccms_userID'])) {
         setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
     }
 }
 // Generate a new session_id
 session_regenerate_id();
 // Finally, destroy the session.
 if (session_destroy()) {
     header('Location: ' . makeAbsoluteURI($loc));
示例#3
0
function check_session_sidpatch_and_start()
{
    global $cfg, $ccms;
    $getid = 'SID' . md5($cfg['authcode'] . 'x');
    $sesid = session_id();
    // bloody hack for FancyUpload FLASH component which doesn't pass along cookies:
    if (!empty($_GET[$getid])) {
        $sesid = preg_replace('/[^A-Za-z0-9]/', 'X', $_GET[$getid]);
        /*
         * Before we set the sessionID, we'd better make darn sure it's a legitimate request instead of a hacker trying to get in:
         *
         * however, before we can access any $_SESSION[] variables do we have to load the session for the given ID.
         */
        session_id($sesid);
        if (!session_start()) {
            die('session_start(SIDPATCH) failed');
        }
        //session_write_close();
        if (!empty($_GET['SIDCHK']) && !empty($_SESSION['fup1']) && $_SESSION['fup1'] == $_GET['SIDCHK']) {
            //echo " :: legal session ID forced! \n";
            //session_id($sesid);
        } else {
            //echo " :: illegal session override! IGNORED! \n";
            // do NOT nuke the session; this might have been a interloper trying a DoS attack... let it all run its natural course.
            $_SESSION['fup1'] = md5(mt_rand() . time() . mt_rand());
            die_and_goto_url(null, $ccms['lang']['auth']['featnotallowed']);
            // default URL: login!
        }
    } else {
        if (!session_start()) {
            die('session_start(SIDCHECK_ALT) failed');
        }
    }
}