checksessionexpiry: rework

[git.ikiwiki.info.git] / IkiWiki / CGI.pm

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index a3486cbb40034cafc2fcdedd32c828626261339d..a45e12e3168c54540b22f72e95c28d35eef003e5 100644 (file)
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -36,7 +36,7 @@ sub showform ($$$$;@) { #{{{
 
        printheader($session);
        print misctemplate($form->title, $form->render(submit => $buttons), @_);
 
        printheader($session);
        print misctemplate($form->title, $form->render(submit => $buttons), @_);

-}
+} #}}}

 
 sub redirect ($$) { #{{{
        my $q=shift;
 
 sub redirect ($$) { #{{{
        my $q=shift;


@@ -273,7 +273,7 @@ sub check_banned ($$) { #{{{
                        exit;
                }
        }
                        exit;
                }
        }

-}
+} #}}}

 
 sub cgi_getsession ($) { #{{{
        my $q=shift;
 
 sub cgi_getsession ($) { #{{{
        my $q=shift;


@@ -296,14 +296,16 @@ sub cgi_getsession ($) { #{{{
        return $session;
 } #}}}
 
        return $session;
 } #}}}
 

-# The session id is stored on the form and checked to
-# guard against CSRF. But only if the user is logged in,
-# as anonok can allow anonymous edits.
+# To guard against CSRF, the user's session id (sid)
+# can be stored on a form. This function will check
+# (for logged in users) that the sid on the form matches
+# the session id in the cookie.

 sub checksessionexpiry ($$) { # {{{
 sub checksessionexpiry ($$) { # {{{

+       my $q=shift;

        my $session = shift;
        my $session = shift;

-       my $sid = shift;

 
        if (defined $session->param("name")) {
 
        if (defined $session->param("name")) {

+               my $sid=$q->param('sid');

                if (! defined $sid || $sid ne $session->id) {
                        error(gettext("Your login session has expired."));
                }
                if (! defined $sid || $sid ne $session->id) {
                        error(gettext("Your login session has expired."));
                }