sub cgi_getsession ($) { #{{{
my $q=shift;
- eval q{use CGI::Session};
+ eval q{use CGI::Session; use HTML::Entities};
error($@) if $@;
- CGI::Session->name("ikiwiki_session_".encode_utf8($config{wikiname}));
+ CGI::Session->name("ikiwiki_session_".encode_entities($config{wikiname}));
my $oldmask=umask(077);
my $session = eval {
return $session;
} #}}}
+# The session id is stored on the form and checked to
+# guard against CSRF. But only if the user is logged in,
+# as anonok can allow anonymous edits.
+sub checksessionexpiry ($$) { # {{{
+ my $session = shift;
+ my $sid = shift;
+
+ if (defined $session->param("name")) {
+ if (! defined $sid || $sid ne $session->id) {
+ error(gettext("Your login session has expired."));
+ }
+ }
+} # }}}
+
sub cgi_savesession ($) { #{{{
my $session=shift;
sipb-www / ikiwiki.git / blobdiff