0

I try to include the CKFinder to my web site on PHP. I found official docs:

<?php

$_SESSION['IsAuthorized'] = TRUE; // simple user authorized

$finder = new \CKFinder();
$finder->BasePath = 'http://bow.loc/web/libs/ckfinder2/';
$finder->Create();

But for it work I need to make changes in config.php file:

<?php

session_start();

/**
 * This function must check the user session to be sure that he/she is
 * authorized to upload and access files in the File Browser.
 *
 * @return boolean
 */
function CheckAuthentication()
{
    // WARNING : DO NOT simply return "true". By doing so, you are allowing
    // "anyone" to upload and list the files in your server. You must implement
    // some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
    return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    // user logs in your system. To be able to use session variables don't
    // forget to add session_start() at the top of this file.

    return FALSE;
}

// other code...

And I don't want simply return TRUE for security reasons, I want to use SESSION. But the problem is that I can't to do this, because $finder->Create(); method return HTML code that openning in a the IFRAME ckfinder.html page directly, so session in my framework and session in CKFinder is different and return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; return FALSE! So my question is:

How can I pass session with user auth from my framework to the CKFinder and to do security validation in it for authorized user? Thanks very much for help!

Victor Bocharsky
  • 11,930
  • 13
  • 58
  • 91
  • 1
    It would probably be helpful to know which framework you are using. – kevindeleon Mar 31 '14 at 15:03
  • 1
    You use session_start() on config.php? – gabrieloliveira Mar 31 '14 at 15:03
  • @gabrieloliveira Yes, I add `session_start()` at the top of `config.php` – Victor Bocharsky Mar 31 '14 at 15:05
  • @kevindeleon Now I use `Symfony`, but it also don't work in other frameworks, because sessions are differents – Victor Bocharsky Mar 31 '14 at 15:07
  • 1
    You can't pass a parameter to $finder object with value of $_SESSION['IsAuthorized'] and check this value in CheckAuthentication()? – gabrieloliveira Mar 31 '14 at 15:34
  • @gabrieloliveira I can, but I think it does not help, the CKFinder is openning in iframe directly as a static file `ckfinder.html`, and I don't understand why and how it work. – Victor Bocharsky Mar 31 '14 at 15:46
  • it is strange that the session is not the same, you check the iframe url if this is the same, including or excluding "www."? – gabrieloliveira Mar 31 '14 at 17:26
  • @gabrieloliveira I use same domain without `www.` in both case. And in framework I see the session values, but in `config.php` file session is an empty array. – Victor Bocharsky Mar 31 '14 at 17:38
  • 1
    I really can't help. I tested here and works good. First not work because I write $_SESSION['isAuthorized'] with 'i', I change this and work, the sessions is the same. I checked your session name and nothing different. So I can't see what is wrong. I tested this too, and the two ways work, but try put session_start() before instantiate the $finder object. – gabrieloliveira Mar 31 '14 at 20:33
  • @gabrieloliveira Hm, it's strange! I try to include it to the single PHP file for test, and it work. I think problem with including to Symfony, but I don't know in what exactly. Maybe because Symfony use namespaces ( – Victor Bocharsky Apr 01 '14 at 07:33
  • I tested litte more, and I think, that Symfony destroy session in the end of framework executing. So CKFinder already start a new session. What can I do in this case? – Victor Bocharsky Apr 01 '14 at 07:42
  • @kevindeleon Sorry, I think you was right and problems in my framework – Victor Bocharsky Apr 01 '14 at 07:46

1 Answers1

0

For secure CKFinder, you need to add to the action:

$this->getRequest()->getSession()->set('AllowCKFinder', TRUE); // Allow to use CKFinder

And then modify the config.php file of CKFinder with next code:

function CheckAuthentication()
{
    session_start();
    $status = FALSE;
    $file = dirname(__FILE__) .'/../../../app/cache/prod/sessions/sess_'. session_id();
    if (file_exists($file)) {
        $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
    }
    if ( ! $status) {
        $file = dirname(__FILE__) .'/../../../app/cache/dev/sessions/sess_'. session_id();
        if (file_exists($file)) {
            $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
        }
    }

    return $status;

    // WARNING : DO NOT simply return "true". By doing so, you are allowing
    // "anyone" to upload and list the files in your server. You must implement
    // some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    // user logs in your system. To be able to use session variables don't
    // forget to add session_start() at the top of this file.

    return false;
}

Original post here

Victor Bocharsky
  • 11,930
  • 13
  • 58
  • 91