1. 首頁
  2. 問答
  3. 如何使用SESSION安全性將CKFinder2添加到php頁面?

如何使用SESSION安全性將CKFinder2添加到php頁面?

2014-03-31 68 views
0

我嘗試將CKFinder包含在我的PHP網站上。我發現官方的文檔:如何使用SESSION安全性將CKFinder2添加到php頁面?

<?php 

$_SESSION['IsAuthorized'] = TRUE; // simple user authorized 

$finder = new \CKFinder(); 
$finder->BasePath = 'http://bow.loc/web/libs/ckfinder2/'; 
$finder->Create();

但它工作,我需要在config.php文件的變化:

<?php 

session_start(); 

/** 
* This function must check the user session to be sure that he/she is 
* authorized to upload and access files in the File Browser. 
* 
* @return boolean 
*/ 
function CheckAuthentication() 
{ 
    // WARNING : DO NOT simply return "true". By doing so, you are allowing 
    // "anyone" to upload and list the files in your server. You must implement 
    // some kind of session validation here. Even something very simple as... 

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; 
    return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; 

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the 
    // user logs in your system. To be able to use session variables don't 
    // forget to add session_start() at the top of this file. 

    return FALSE; 
} 

// other code...

而且我不希望出於安全原因,簡單地return TRUE,我想使用會話。但問題是我不能這樣做,因爲$finder->Create();方法直接返回在IFRAME ckfinder.html頁面中打開的HTML代碼,所以在我的框架中的會話和CKFinder中的會話不同,並且return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];返回FALSE!所以我的問題是:

如何將會話與用戶身份驗證從我的框架傳遞到CKFinder並對授權用戶進行安全驗證?非常感謝您的幫助!

來源

2014-03-31 Victor Bocharsky

+1

會可能有助於瞭解您正在使用的框架。 – kevindeleon

+1

你在config.php上使用session_start()? – gabrieloliveira

+0

@gabrieloliveira是的,我在'config.php'的頂部添加'session_start()' –

回答

0

對於安全CKFinder,你需要添加到行動:

$this->getRequest()->getSession()->set('AllowCKFinder', TRUE); // Allow to use CKFinder

然後修改config.php文件CKFinder與下面的代碼:

function CheckAuthentication() 
{ 
    session_start(); 
    $status = FALSE; 
    $file = dirname(__FILE__) .'/../../../app/cache/prod/sessions/sess_'. session_id(); 
    if (file_exists($file)) { 
     $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file)); 
    } 
    if (! $status) { 
     $file = dirname(__FILE__) .'/../../../app/cache/dev/sessions/sess_'. session_id(); 
     if (file_exists($file)) { 
      $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file)); 
     } 
    } 

    return $status; 

    // WARNING : DO NOT simply return "true". By doing so, you are allowing 
    // "anyone" to upload and list the files in your server. You must implement 
    // some kind of session validation here. Even something very simple as... 

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; 

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the 
    // user logs in your system. To be able to use session variables don't 
    // forget to add session_start() at the top of this file. 

    return false; 
}

原帖here

來源

2014-04-07 15:11:18

相關問題

 相關問題