问题
I try to include the CKFinder to my web site on PHP. I found official docs:
<?php
$_SESSION['IsAuthorized'] = TRUE; // simple user authorized
$finder = new \CKFinder();
$finder->BasePath = 'http://bow.loc/web/libs/ckfinder2/';
$finder->Create();
But for it work I need to make changes in config.php file:
<?php
session_start();
/**
* This function must check the user session to be sure that he/she is
* authorized to upload and access files in the File Browser.
*
* @return boolean
*/
function CheckAuthentication()
{
// WARNING : DO NOT simply return "true". By doing so, you are allowing
// "anyone" to upload and list the files in your server. You must implement
// some kind of session validation here. Even something very simple as...
// return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
// ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
// user logs in your system. To be able to use session variables don't
// forget to add session_start() at the top of this file.
return FALSE;
}
// other code...
And I don't want simply return TRUE for security reasons, I want to use SESSION. But the problem is that I can't to do this, because $finder->Create(); method return HTML code that openning in a the IFRAME ckfinder.html page directly, so session in my framework and session in CKFinder is different and return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; return FALSE! So my question is:
How can I pass session with user auth from my framework to the CKFinder and to do security validation in it for authorized user? Thanks very much for help!
回答1:
For secure CKFinder, you need to add to the action:
$this->getRequest()->getSession()->set('AllowCKFinder', TRUE); // Allow to use CKFinder
And then modify the config.php file of CKFinder with next code:
function CheckAuthentication()
{
session_start();
$status = FALSE;
$file = dirname(__FILE__) .'/../../../app/cache/prod/sessions/sess_'. session_id();
if (file_exists($file)) {
$status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
}
if ( ! $status) {
$file = dirname(__FILE__) .'/../../../app/cache/dev/sessions/sess_'. session_id();
if (file_exists($file)) {
$status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
}
}
return $status;
// WARNING : DO NOT simply return "true". By doing so, you are allowing
// "anyone" to upload and list the files in your server. You must implement
// some kind of session validation here. Even something very simple as...
// return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
// ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
// user logs in your system. To be able to use session variables don't
// forget to add session_start() at the top of this file.
return false;
}
Original post here
来源:https://stackoverflow.com/questions/22764832/how-to-include-ckfinder2-to-the-php-page-with-session-security