From 4702f8e9dbcfb050f75bde11dd04b06008e6b3b2 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Fri, 3 Jan 2025 11:57:26 -0800 Subject: [PATCH 01/11] Remove PHPSESSID from URLs; 8.4 support Signed by Shawn Bulen, bulens@pacbell.net --- Sources/QueryString.php | 48 +++++++++++------------------------------ Sources/Session.php | 2 -- Sources/Subs.php | 34 ++++++++--------------------- 3 files changed, 21 insertions(+), 63 deletions(-) diff --git a/Sources/QueryString.php b/Sources/QueryString.php index e981258a8db..a9f9633c438 100644 --- a/Sources/QueryString.php +++ b/Sources/QueryString.php @@ -633,13 +633,9 @@ function htmltrim__recursive($var, $level = 0) /** * Rewrite URLs to include the session ID. * What it does: - * - rewrites the URLs outputted to have the session ID, if the user - * is not accepting cookies and is using a standard web browser. * - handles rewriting URLs for the queryless URLs option. * - can be turned off entirely by setting $scripturl to an empty * string, ''. (it wouldn't work well like that anyway.) - * - because of bugs in certain builds of PHP, does not function in - * versions lower than 4.3.0 - please upgrade if this hurts you. * * @param string $buffer The unmodified output buffer * @return string The modified buffer @@ -648,47 +644,27 @@ function ob_sessrewrite($buffer) { global $scripturl, $modSettings, $context; - // PHP 8.4 deprecated SID. A better long-term solution is needed, but this works for now. - $sid = defined('SID') ? @constant('SID') : null; - - // If $scripturl is set to nothing, or the SID is not defined (SSI?) just quit. - if ($scripturl == '' || !isset($sid)) + // If $scripturl is set to nothing, just quit. + if ($scripturl == '') return $buffer; - // Do nothing if the session is cookied, or they are a crawler - guests are caught by redirectexit(). This doesn't work below PHP 4.3.0, because it makes the output buffer bigger. - // @todo smflib - if (empty($_COOKIE) && $sid != '' && !isBrowser('possibly_robot')) - $buffer = preg_replace('/(? Date: Fri, 3 Jan 2025 13:34:20 -0800 Subject: [PATCH 02/11] Don't write sessions when cookies are not present Signed by Shawn Bulen, bulens@pacbell.net --- Sources/Session.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Sources/Session.php b/Sources/Session.php index ba01b4d801d..fec23a2a930 100644 --- a/Sources/Session.php +++ b/Sources/Session.php @@ -174,6 +174,10 @@ public function write(/*PHP 8.0 string*/$id,/*PHP 8.0 string */ $data): bool { global $smcFunc; + // Don't both writing the session if cookies are diabled; no way to retrieve it later + if (empty($_COOKIE)) + return true; + if (!$this->isValidSessionID($id)) return false; From 68249495ff29520baa9259500670bb2de920da05 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Tue, 7 Jan 2025 10:17:29 -0800 Subject: [PATCH 03/11] Remove PHPSESSID from URLs; PHP 8.4 support Signed by Shawn Bulen, bulens@pacbell.net --- Sources/QueryString.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/QueryString.php b/Sources/QueryString.php index a9f9633c438..8b9a4aa7fd5 100644 --- a/Sources/QueryString.php +++ b/Sources/QueryString.php @@ -631,7 +631,7 @@ function htmltrim__recursive($var, $level = 0) } /** - * Rewrite URLs to include the session ID. + * Handles rewriting URLs for the queryless URLs option. * What it does: * - handles rewriting URLs for the queryless URLs option. * - can be turned off entirely by setting $scripturl to an empty From fd1b2df18e1421522b9c22df39f7f8daaee8b423 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Tue, 7 Jan 2025 14:37:54 -0800 Subject: [PATCH 04/11] Don't write sessions when cookies are not present Signed by Shawn Bulen, bulens@pacbell.net --- Sources/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/Session.php b/Sources/Session.php index fec23a2a930..0ef7c4d7d33 100644 --- a/Sources/Session.php +++ b/Sources/Session.php @@ -174,7 +174,7 @@ public function write(/*PHP 8.0 string*/$id,/*PHP 8.0 string */ $data): bool { global $smcFunc; - // Don't both writing the session if cookies are diabled; no way to retrieve it later + // Don't bother writing the session if cookies are diabled; no way to retrieve it later if (empty($_COOKIE)) return true; From 3cb82c89fa628efee7d3cec90bd60fa6f8fa58a1 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Mon, 13 Jan 2025 12:22:01 -0800 Subject: [PATCH 05/11] Don't write sessions when cookies are not present Signed by Shawn Bulen, bulens@pacbell.net --- Sources/Session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/Session.php b/Sources/Session.php index 0ef7c4d7d33..a9ce737671a 100644 --- a/Sources/Session.php +++ b/Sources/Session.php @@ -174,7 +174,7 @@ public function write(/*PHP 8.0 string*/$id,/*PHP 8.0 string */ $data): bool { global $smcFunc; - // Don't bother writing the session if cookies are diabled; no way to retrieve it later + // Don't bother writing the session if cookies are disabled; no way to retrieve it later if (empty($_COOKIE)) return true; From 86599b9f38582a4adab88ca3c2c43ed91d77f111 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Tue, 29 Apr 2025 13:21:11 -0700 Subject: [PATCH 06/11] Ensure cookies are enabled at login Signed-off-by: Shawn Bulen --- Sources/LogInOut.php | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/Sources/LogInOut.php b/Sources/LogInOut.php index b4586ae3951..a3111d86b79 100644 --- a/Sources/LogInOut.php +++ b/Sources/LogInOut.php @@ -217,8 +217,12 @@ function Login2() redirectexit(); // Are you guessing with a script? - checkSession(); - validateToken('login'); + // If cookies are disallowed, session & token checks will fail + if (!empty($_COOKIE)) + { + checkSession(); + validateToken('login'); + } spamProtection('login'); // Set the login_url if it's not already set (but careful not to send us to an attachment). @@ -235,7 +239,7 @@ function Login2() elseif (!empty($_POST['cookielength']) && ($_POST['cookielength'] >= 1 && $_POST['cookielength'] <= 3153600)) $modSettings['cookieTime'] = (int) $_POST['cookielength']; - loadLanguage('Login'); + loadLanguage('Login+Errors'); // Load the template stuff. loadTemplate('Login'); $context['sub_template'] = 'login'; @@ -256,6 +260,13 @@ function Login2() 'name' => $txt['login'], ); + // Cookies are required... + if (empty($_COOKIE)) + { + $context['login_errors'] = array($txt['login_cookie_error']); + return; + } + // You forgot to type your username, dummy! if (!isset($_POST['user']) || $_POST['user'] == '') { From be8c65910c37f26687b8897aca31bdb63fe552c2 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Tue, 29 Apr 2025 16:26:20 -0700 Subject: [PATCH 07/11] Posts require cookies to be enabled Signed-off-by: Shawn Bulen --- Sources/Post.php | 4 ++++ Themes/default/languages/Errors.english.php | 1 + 2 files changed, 5 insertions(+) diff --git a/Sources/Post.php b/Sources/Post.php index 293eb44c508..bf35254e7cc 100644 --- a/Sources/Post.php +++ b/Sources/Post.php @@ -42,6 +42,10 @@ function Post($post_errors = array()) if (isset($_REQUEST['poll']) && !empty($topic) && !isset($_REQUEST['msg'])) unset($_REQUEST['poll']); + // You cannot post at all, even with guest posts allowed, with cookies disabled + if (empty($_COOKIE)) + fatal_lang_error('func_cookie_error', false); + // Posting an event? $context['make_event'] = isset($_REQUEST['calendar']); $context['robot_no_index'] = true; diff --git a/Themes/default/languages/Errors.english.php b/Themes/default/languages/Errors.english.php index 805f1616aaf..2ca2c2d4dc7 100644 --- a/Themes/default/languages/Errors.english.php +++ b/Themes/default/languages/Errors.english.php @@ -143,6 +143,7 @@ $txt['delFirstPost'] = 'You are not allowed to delete the first post in a topic.

If you want to delete this topic, click on the Remove Topic link, or ask a moderator/administrator to do it for you.

'; $txt['parent_error'] = 'Unable to create board!'; $txt['login_cookie_error'] = 'You were unable to login. Please check your cookie settings.'; +$txt['func_cookie_error'] = 'This function requires cookies enabled. Please check your cookie settings.'; $txt['login_ssl_required'] = 'You can only login via HTTPS'; $txt['register_ssl_required'] = 'You can only register via HTTPS'; $txt['incorrect_answer'] = 'Sorry, but you did not answer your question correctly. Please click back to try again, or click back twice to use the default method of obtaining your password.'; From 4abdccbc0436ab0e7c887ca8ff982575d1afdc45 Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Tue, 29 Apr 2025 16:46:33 -0700 Subject: [PATCH 08/11] Registration requires cookies Signed-off-by: Shawn Bulen --- Sources/Register.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Sources/Register.php b/Sources/Register.php index ef32677cc20..3997db1135a 100644 --- a/Sources/Register.php +++ b/Sources/Register.php @@ -36,6 +36,10 @@ function Register($reg_errors = array()) if (!empty($modSettings['registration_method']) && $modSettings['registration_method'] == '3') fatal_lang_error('registration_disabled', false); + // You cannot register with cookies disabled + if (empty($_COOKIE)) + fatal_lang_error('func_cookie_error', false); + // If this user is an admin - redirect them to the admin registration page. if (allowedTo('moderate_forum') && !$user_info['is_guest']) redirectexit('action=admin;area=regcenter;sa=register'); From 966ec811720c02e76985f41734436d0fb15bb3ab Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Tue, 29 Apr 2025 16:56:25 -0700 Subject: [PATCH 09/11] Search with captcha requires cookies Signed-off-by: Shawn Bulen --- Sources/Search.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Sources/Search.php b/Sources/Search.php index 10e9058fc87..3ef92550c5e 100644 --- a/Sources/Search.php +++ b/Sources/Search.php @@ -34,6 +34,10 @@ function PlushSearch1() if (!empty($context['load_average']) && !empty($modSettings['loadavg_search']) && $context['load_average'] >= $modSettings['loadavg_search']) fatal_lang_error('loadavg_search_disabled', false); + // You cannot search with cookies disabled when captcha is required for guest searches + if (empty($_COOKIE) && !empty($modSettings['search_enable_captcha'])) + fatal_lang_error('func_cookie_error', false); + loadLanguage('Search'); // Don't load this in XML mode. if (!isset($_REQUEST['xml'])) From 068653ec9bf19d8ee0112cdbcecb80f2e1ad686a Mon Sep 17 00:00:00 2001 From: Shawn Bulen Date: Sun, 13 Jul 2025 20:06:18 -0700 Subject: [PATCH 10/11] Cant view likes without cookies Signed-off-by: Shawn Bulen --- Themes/default/Display.template.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Themes/default/Display.template.php b/Themes/default/Display.template.php index 4dd07997d85..4236a42d1ef 100644 --- a/Themes/default/Display.template.php +++ b/Themes/default/Display.template.php @@ -846,6 +846,10 @@ function template_single_post($message) $base .= (isset($txt[$base . $count])) ? $count : 'n'; + // Remove link if no cookies; session reference won't work + if (empty($_COOKIE)) + $txt[$base] = strtr($txt[$base], array('' => '', '' => '')); + echo '