如何在具有 SESSION 安全性的 php 页面中包含 CKFinder2? [英] How to include CKFinder2 to the php page with SESSION security?

问题描述

我尝试将 CKFinder 包含到我的 PHP 网站中.我找到了官方文档:

I try to include the CKFinder to my web site on PHP. I found official docs:

<?php

$_SESSION['IsAuthorized'] = TRUE; // simple user authorized

$finder = new \CKFinder();
$finder->BasePath = 'http://bow.loc/web/libs/ckfinder2/';
$finder->Create();

但为了它的工作，我需要在 config.php 文件中进行更改:

But for it work I need to make changes in config.php file:

<?php

session_start();

/**
 * This function must check the user session to be sure that he/she is
 * authorized to upload and access files in the File Browser.
 *
 * @return boolean
 */
function CheckAuthentication()
{
    // WARNING : DO NOT simply return "true". By doing so, you are allowing
    // "anyone" to upload and list the files in your server. You must implement
    // some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
    return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    // user logs in your system. To be able to use session variables don't
    // forget to add session_start() at the top of this file.

    return FALSE;
}

// other code...

出于安全原因，我不想简单地return TRUE，我想使用SESSION.但问题是我不能这样做，因为 $finder->Create(); 方法返回在 IFRAME ckfinder.html 中打开的 HTML 代码页面直接，所以我框架中的会话和 CKFinder 中的会话是不同的，并且 return isset($_SESSION['IsAuthorized']) &&$_SESSION['IsAuthorized']; 返回 FALSE！所以我的问题是:

And I don't want simply return TRUE for security reasons, I want to use SESSION. But the problem is that I can't to do this, because $finder->Create(); method return HTML code that openning in a the IFRAME ckfinder.html page directly, so session in my framework and session in CKFinder is different and return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; return FALSE! So my question is:

如何将具有用户身份验证的会话从我的框架传递到 CKFinder 并在其中为授权用户进行安全验证?非常感谢您的帮助！

How can I pass session with user auth from my framework to the CKFinder and to do security validation in it for authorized user? Thanks very much for help!

推荐答案

为了安全CKFinder，需要在动作中添加:

For secure CKFinder, you need to add to the action:

$this->getRequest()->getSession()->set('AllowCKFinder', TRUE); // Allow to use CKFinder

然后用下一段代码修改CKFinder的config.php文件:

And then modify the config.php file of CKFinder with next code:

function CheckAuthentication()
{
    session_start();
    $status = FALSE;
    $file = dirname(__FILE__) .'/../../../app/cache/prod/sessions/sess_'. session_id();
    if (file_exists($file)) {
        $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
    }
    if ( ! $status) {
        $file = dirname(__FILE__) .'/../../../app/cache/dev/sessions/sess_'. session_id();
        if (file_exists($file)) {
            $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
        }
    }

    return $status;

    // WARNING : DO NOT simply return "true". By doing so, you are allowing
    // "anyone" to upload and list the files in your server. You must implement
    // some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    // user logs in your system. To be able to use session variables don't
    // forget to add session_start() at the top of this file.

    return false;
}

原帖这里

这篇关于如何在具有 SESSION 安全性的 php 页面中包含 CKFinder2?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！