diff options
author | Joey Hess <joey@gnu.kitenet.net> | 2008-12-17 14:26:08 -0500 |
---|---|---|
committer | Joey Hess <joey@gnu.kitenet.net> | 2008-12-17 14:26:08 -0500 |
commit | 985b229be632126f376aaad7bd354d0d7d014464 (patch) | |
tree | 1fdc8e45853dab0bc98d0c5e130902ec50150b92 /IkiWiki/CGI.pm | |
parent | fdd994fb7365308bde162b72b280512f2db6a339 (diff) | |
download | ikiwiki-985b229be632126f376aaad7bd354d0d7d014464.tar ikiwiki-985b229be632126f376aaad7bd354d0d7d014464.tar.gz |
checksessionexpiry: rework
This function as factored out was a bit confusing, I think this makes more
sense.
Diffstat (limited to 'IkiWiki/CGI.pm')
-rw-r--r-- | IkiWiki/CGI.pm | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index a3486cbb4..a45e12e31 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -36,7 +36,7 @@ sub showform ($$$$;@) { #{{{ printheader($session); print misctemplate($form->title, $form->render(submit => $buttons), @_); -} +} #}}} sub redirect ($$) { #{{{ my $q=shift; @@ -273,7 +273,7 @@ sub check_banned ($$) { #{{{ exit; } } -} +} #}}} sub cgi_getsession ($) { #{{{ my $q=shift; @@ -296,14 +296,16 @@ sub cgi_getsession ($) { #{{{ return $session; } #}}} -# The session id is stored on the form and checked to -# guard against CSRF. But only if the user is logged in, -# as anonok can allow anonymous edits. +# To guard against CSRF, the user's session id (sid) +# can be stored on a form. This function will check +# (for logged in users) that the sid on the form matches +# the session id in the cookie. sub checksessionexpiry ($$) { # {{{ + my $q=shift; my $session = shift; - my $sid = shift; if (defined $session->param("name")) { + my $sid=$q->param('sid'); if (! defined $sid || $sid ne $session->id) { error(gettext("Your login session has expired.")); } |