Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v diff -u -r1.8 -r1.9 --- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 1 Mar 2002 23:16:13 -0000 1.8 +++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 13 Mar 2002 22:50:53 -0000 1.9 @@ -236,7 +236,7 @@ # the empty string set prev_user_id [ad_conn user_id] - if { $prev_user_id != 0 } { + if { $prev_user_id != 0 && $prev_user_id != $new_user_id } { # this is a change in identity so we should create # a new session so session-level data is not shared set session_id [sec_allocate_session] @@ -298,6 +298,16 @@ } { return "" } + + set new_last_hit [clock seconds] + + db_dml update_last_hit_dml { + update sec_session_properties + set last_hit = :new_last_hit + where session_id = :id and + property_name = :name + } + return [list $property_value $secure_p] } @@ -1035,6 +1045,16 @@ return 1 } + # check to see if IE is lame (and buggy!) and is expanding \n to \r\n + # See: http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg_id=000bfF + set value [string map [list \r ""] $value] + set computed_hash [ns_sha1 "$value$token_id$expire_time$secret_token"] + + if { [string compare $computed_hash $hash] == 0 && ($expire_time > [ns_time] || $expire_time == 0) } { + return 1 + } + + ns_log Debug "Security: The string compare is [string compare $computed_hash $hash]." # signature could not be authenticated return 0 @@ -1195,14 +1215,19 @@ return $tcl_secret_tokens($token_id) } else { set token [ns_cache eval secret_tokens $token_id { - return [db_string get_token {select token from secret_tokens + set token [db_string get_token {select token from secret_tokens where token_id = :token_id} -default 0] - }] - if { $token == 0 } { - error "Invalid token ID" - } + # Very important to throw the error here if $token == 0 + # see: http://www.arsdigita.com/sdm/one-ticket?ticket_id=10760 + if { $token == 0 } { + error "Invalid token ID" + } + + return $token + }] + set tcl_secret_tokens($token_id) $token return $token