ef8bc60a174ca86469cc102d18c9a8c7d3188bf9 galt Tue Feb 11 01:24:49 2014 -0800 adding random sessionKey generation diff --git src/hg/lib/cart.c src/hg/lib/cart.c index a16a699..46edb53 100644 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@ -212,42 +212,52 @@ } struct cartDb *loadDb(struct sqlConnection *conn, char *table, char *secureId, boolean *found) /* Load bits from database and save in hash. */ { struct cartDb *cdb; boolean result = TRUE; cdb = cartDbLoadFromId(conn, table, secureId); if (!cdb) { result = FALSE; struct dyString *query = dyStringNew(256); sqlDyStringPrintf(query, "INSERT %s VALUES(0,'',0,now(),now(),0", table); char *sessionKey = ""; - // TODO should I be inserting a new random sessionKey value right now? if (cartDbHasSessionKey(conn, table)) + { + if (cartDbUseSessionKey()) + { + sessionKey = cartDbMakeRandomKey(128+33); // at least 128 bits of protection, 33 for the world population size. + } sqlDyStringPrintf(query, ",'%s'", sessionKey); + } sqlDyStringPrintf(query, ")"); sqlUpdate(conn, query->string); dyStringFree(&query); unsigned int id = sqlLastAutoId(conn); char newSecureId[256]; + if (cartDbUseSessionKey() && !sameString(sessionKey,"")) safef(newSecureId, sizeof newSecureId, "%u_%s", id, sessionKey); + else + safef(newSecureId, sizeof newSecureId, "%u", id); if ((cdb = cartDbLoadFromId(conn,table,newSecureId)) == NULL) errAbort("Couldn't get cartDb for id=%u right after loading. " "MySQL problem??", id); + if (!sameString(sessionKey,"")) + freeMem(sessionKey); } *found = result; return cdb; } void cartExclude(struct cart *cart, char *var) /* Exclude var from persistent storage. */ { hashAdd(cart->exclude, var, NULL); } void sessionTouchLastUse(struct sqlConnection *conn, char *encUserName, char *encSessionName) /* Increment namedSessionDb.useCount and update lastUse for this session. */ @@ -562,30 +572,31 @@ time_t seconds = clock1(); struct tm *theTime = localtime(&seconds); strftime(nowBuf, sizeof nowBuf, "%Y-%m-%d %H:%M:%S", theTime); return cloneString(nowBuf); } static struct cartDb *emptyCartDb() /* Create a new empty placeholder cartDb. */ { struct cartDb *cdb; AllocVar(cdb); cdb->contents = cloneString(""); cdb->firstUse = now(); cdb->lastUse = now(); cdb->useCount = 1; +// TODO does anything need to go here for sessionKey? maybe not since id is not set here. return cdb; } struct cart *cartFromHash(struct hash *hash) /* Create a cart from hash */ { struct cart *cart; AllocVar(cart); cart->hash = hash; cart->exclude = newHash(7); cart->userInfo = emptyCartDb(); cart->sessionInfo = emptyCartDb(); return cart; } @@ -1211,33 +1222,31 @@ } void cartMakeRadioButton(struct cart *cart, char *var, char *val, char *defaultVal) /* Make a radio button that is selected if cart variable exists and matches * value (or value matches default val if cart var doesn't exist). */ { boolean matches = sameString(val, cartUsualString(cart, var, defaultVal)); cgiMakeRadioButton(var, val, matches); } void cartSaveSession(struct cart *cart) /* Save session in a hidden variable. This needs to be called * somewhere inside of form or bad things will happen when user * has multiple windows open. */ { -char buf[64]; -safef(buf, sizeof(buf), "%u", cart->sessionInfo->id); -cgiMakeHiddenVar(sessionVar, buf); +cgiMakeHiddenVar(sessionVar, cartSessionId(cart)); } static void cartDumpItem(struct hashEl *hel,boolean asTable) /* Dump one item in cart hash */ { char *var = htmlEncode(hel->name); char *val = htmlEncode((char *)(hel->val)); if (asTable) { printf("<TR><TD>%s</TD><TD>", var); int width=(strlen(val)+1)*8; if (width<100) width = 100; cgiMakeTextVarWithExtraHtml(hel->name, val, width, "onchange='setCartVar(this.name,this.value);'");