095a35c9955e347fc835c5ef5f534aeaabf61098 Merge parents 2dffcd6 0fb6caf galt Sun Mar 9 22:46:01 2014 -0700 Resolved merge conflict diff --cc src/hg/lib/cart.c index 5e6c30e,319401a..2fcc271 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@@ -1354,81 -1313,80 +1355,91 @@@ struct hashEl *cartFindPrefix(struct cart *cart, char *prefix) /* Return list of name/val pairs from cart where name starts with * prefix. Free when done with hashElFreeList. */ { return cartFindSome(cart, prefix, startsWith); } static char *cookieDate() /* Return date string for cookie format. We'll have to * revisit this in 35 years.... */ { return "Thu, 31-Dec-2037 23:59:59 GMT"; } -static int getCookieId(char *cookieName) +static char *getCookieId(char *cookieName) /* Get id value from cookie. */ { -char *hguidString = findCookieData(cookieName); -return (hguidString == NULL ? 0 : atoi(hguidString)); +return findCookieData(cookieName); } -static int getSessionId() +static char *getSessionId() /* Get session id if any from CGI. */ { -return cgiUsualInt("hgsid", 0); +return cgiOptionalString("hgsid"); } -static void clearDbContents(struct sqlConnection *conn, char *table, unsigned id) +static void clearDbContents(struct sqlConnection *conn, char *table, char * secureId) /* Clear out contents field of row in table that matches id. */ { -char query[256]; -if (id == 0) - return; -sqlSafef(query, sizeof(query), "update %s set contents='' where id=%u", - table, id); -sqlUpdate(conn, query); +if (!secureId) + return; +struct dyString *query = dyStringNew(256); +char *sessionKey = NULL; +unsigned int id = cartDbParseId(secureId, &sessionKey); +sqlDyStringPrintf(query, "update %s set contents='' where id=%u", table, id); +if (cartDbUseSessionKey()) + { + if (!sessionKey) + sessionKey = ""; + sqlDyStringPrintf(query, " and sessionKey='%s'", sessionKey); + } +sqlUpdate(conn, query->string); +dyStringFree(&query); + + } void cartResetInDb(char *cookieName) /* Clear cart in database. */ { -int hguid = getCookieId(cookieName); -int hgsid = getSessionId(); +char *hguid = getCookieId(cookieName); +char *hgsid = getSessionId(); struct sqlConnection *conn = cartDefaultConnector(); clearDbContents(conn, "userDb", hguid); clearDbContents(conn, "sessionDb", hgsid); cartDefaultDisconnector(&conn); } void cartWriteCookie(struct cart *cart, char *cookieName) /* Write out HTTP Set-Cookie statement for cart. */ { + char *domain = cfgVal("central.domain"); + if (sameWord("HTTPHOST", domain)) + { + // IE9 does not accept portnames in cookie domains + char *hostWithPort = hHttpHost(); + struct netParsedUrl npu; + netParseUrl(hostWithPort, &npu); + domain = cloneString(npu.host); + } + -printf("Set-Cookie: %s=%u; path=/; domain=%s; expires=%s\r\n", - cookieName, cart->userInfo->id, domain, cookieDate()); +char userIdKey[256]; +cartDbSecureId(userIdKey, sizeof userIdKey, cart->userInfo); +printf("Set-Cookie: %s=%s; path=/; domain=%s; expires=%s\r\n", - cookieName, userIdKey, cfgVal("central.domain"), cookieDate()); ++ cookieName, userIdKey, domain, cookieDate()); if(geoMirrorEnabled()) { // This occurs after the user has manually choosen to go back to the original site; we store redirect value into a cookie so we // can use it in subsequent hgGateway requests before loading the user's cart char *redirect = cgiOptionalString("redirect"); if (redirect) { printf("Set-Cookie: redirect=%s; path=/; domain=%s; expires=%s\r\n", redirect, cgiServerName(), cookieDate()); } } } struct cart *cartForSession(char *cookieName, char **exclude, struct hash *oldVars) /* This gets the cart without writing any HTTP lines at all to stdout. */