Joost/pics
1
0
Fork 0
forked from Public/pics
Code Issues Pull Requests Projects Releases Wiki Activity

Invoke Dispatcher::kickGuest from Session for invalid sessions.

Browse Source 
Previously, a NotAllowedException would be thrown if an invalid session
was encountered. However, these exceptions were not caught, and hence
would yield a fatal uncaught exception error.

At this point in Kabuki, the ErrorHandler class has not been registered yet
for error handling purposes. This error is therefore not visible if the PHP
ini directive 'display_errors' is set to 'Off'. As this is the default
production value, the script would fail with a blank page in such cases.
This commit is contained in:
Aaron van Geffen
2020-03-11 22:23:43 +01:00
parent 909d50efa8
commit a208c0482f
3 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
models/Session.php
View File

@@ -19,13 +19,13 @@ class Session
if (!isset($_SERVER['HTTPS']) && isset($_SERVER['REMOTE_ADDR']) && $_SESSION['ip_address'] !== $_SERVER['REMOTE_ADDR'])
{
$_SESSION = [];
throw new UserFacingException('Your session failed to validate: your IP address has changed. Please re-login and try again.');
Dispatcher::kickGuest('Your session failed to validate', 'Your IP address has changed. Please re-login and try again.');
}
// Either way, require re-login if the browser identifier has changed.
elseif (isset($_SERVER['HTTP_USER_AGENT']) && $_SESSION['user_agent'] !== $_SERVER['HTTP_USER_AGENT'])
{
$_SESSION = [];
throw new UserFacingException('Your session failed to validate: your browser identifier has changed. Please re-login and try again.');
Dispatcher::kickGuest('Your session failed to validate', 'Your browser identifier has changed. Please re-login and try again.');
}
}
elseif (!isset($_SESSION['ip_address'], $_SESSION['user_agent']))