Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(security): use user id instead of session id in session page #8876

Merged
merged 5 commits into from
Jul 29, 2020
Merged

fix(security): use user id instead of session id in session page #8876

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
82e308e
fix(sessions): use user id to logout user
jeremyjaouen Jul 27, 2020
2386868
fix(sessions): use contact id in ajax request
jeremyjaouen Jul 28, 2020
f796641
fix(sessions): correctly sanitize and check contactId
jeremyjaouen Jul 28, 2020
3f88d3f
remove commentary
jeremyjaouen Jul 28, 2020
76f8aeb
adapt commentary
jeremyjaouen Jul 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions www/include/options/session/connected_user.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,26 +51,26 @@
FILTER_SANITIZE_STRING
);

$selectedUserSid = filter_var(
$_GET['session'] ?? null, // the sessionId of the chosen user
FILTER_SANITIZE_STRING
$selectedUserId = filter_var(
$_GET['user'] ?? null, // the sessionId of the chosen user
sc979 marked this conversation as resolved.
Show resolved Hide resolved
FILTER_VALIDATE_INT
);

$currentPage = filter_var(
$_GET['p'] ?? $_POST['p'] ?? 0,
FILTER_VALIDATE_INT
);

if ($selectedUserSid) {
if ($selectedUserId) {
$msg = new CentreonMsg();
$msg->setTextStyle("bold");
$msg->setTimeOut("3");

switch ($action) {
// logout action
case KICK_USER:
$stmt = $pearDB->prepare("DELETE FROM session WHERE session_id = :userSessionId");
$stmt->bindValue(':userSessionId', $selectedUserSid, \PDO::PARAM_STR);
$stmt = $pearDB->prepare("DELETE FROM session WHERE user_id = :userId");
$stmt->bindValue(':userId', $selectedUserId, \PDO::PARAM_INT);
$stmt->execute();
$msg->setText(_("User kicked"));
break;
Expand Down Expand Up @@ -122,7 +122,7 @@
if ($centreon->user->admin) {
// adding the link to be able to kick the user
$session_data[$cpt]["actions"] =
"<a href='./main.php?p=" . $p . "&o=k&session=" . $r['session_id'] . "'>" .
"<a href='./main.php?p=" . $p . "&o=k&user=" . $r['user_id'] . "'>" .
sc979 marked this conversation as resolved.
Show resolved Hide resolved
"<img src='./img/icons/delete.png' border='0' alt='" . _("Kick User") .
"' title='" . _("Kick User") . "'>" .
"</a>";
Expand Down