src/hg/lib/cart.c 082db5e3f93eaeeaed317deb51f2673588c6741b

082db5e3f93eaeeaed317deb51f2673588c6741b
galt
  Fri Mar 7 16:38:26 2014 -0800
updateOne needs to use sessionKey; writeCookie needs to use the secureId instead of plain id
diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index 46edb53..5e6c30e 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -697,30 +697,32 @@
 cartDefaultDisconnector(&conn);
 return cart;
 }
 
 
 
 static void updateOne(struct sqlConnection *conn,
 	char *table, struct cartDb *cdb, char *contents, int contentSize)
 /* Update cdb in database. */
 {
 struct dyString *dy = newDyString(4096);
 sqlDyStringPrintf(dy, "UPDATE %s SET contents='", table);
 sqlDyAppendEscaped(dy, contents);
 sqlDyStringPrintf(dy, "',lastUse=now(),useCount=%d ", cdb->useCount+1);
 sqlDyStringPrintf(dy, " where id=%u", cdb->id);
+if (cartDbUseSessionKey())
+  sqlDyStringPrintf(dy, " and sessionKey='%s'", cdb->sessionKey);
 sqlUpdate(conn, dy->string);
 dyStringFree(&dy);
 }
 
 
 void cartEncodeState(struct cart *cart, struct dyString *dy)
 /* Add a CGI-encoded var=val&... string of all cart variables to dy. */
 {
 struct hashEl *el, *elList = hashElListHash(cart->hash);
 boolean firstTime = TRUE;
 char *s = NULL;
 for (el = elList; el != NULL; el = el->next)
     {
     if (!hashLookup(cart->exclude, el->name))
 	{
@@ -1399,32 +1401,34 @@
 
 void cartResetInDb(char *cookieName)
 /* Clear cart in database. */
 {
 char *hguid = getCookieId(cookieName);
 char *hgsid = getSessionId();
 struct sqlConnection *conn = cartDefaultConnector();
 clearDbContents(conn, "userDb", hguid);
 clearDbContents(conn, "sessionDb", hgsid);
 cartDefaultDisconnector(&conn);
 }
 
 void cartWriteCookie(struct cart *cart, char *cookieName)
 /* Write out HTTP Set-Cookie statement for cart. */
 {
-printf("Set-Cookie: %s=%u; path=/; domain=%s; expires=%s\r\n",
-        cookieName, cart->userInfo->id, cfgVal("central.domain"), cookieDate());
+char userIdKey[256];
+cartDbSecureId(userIdKey, sizeof userIdKey, cart->userInfo);
+printf("Set-Cookie: %s=%s; path=/; domain=%s; expires=%s\r\n",
+        cookieName, userIdKey, cfgVal("central.domain"), cookieDate());
 if(geoMirrorEnabled())
     {
     // This occurs after the user has manually choosen to go back to the original site; we store redirect value into a cookie so we 
     // can use it in subsequent hgGateway requests before loading the user's cart
     char *redirect = cgiOptionalString("redirect");
     if (redirect)
         {
         printf("Set-Cookie: redirect=%s; path=/; domain=%s; expires=%s\r\n", redirect, cgiServerName(), cookieDate());
         }
     }
 }
 
 struct cart *cartForSession(char *cookieName, char **exclude,
                             struct hash *oldVars)
 /* This gets the cart without writing any HTTP lines at all to stdout. */