How to include CKFinder2 to the php page with SESSION security?

https://stackoverflow.com/questions/22764832

24-06-2023
|

Question

I try to include the CKFinder to my web site on PHP. I found official docs:

<?php

$_SESSION['IsAuthorized'] = TRUE; // simple user authorized

$finder = new \CKFinder();
$finder->BasePath = 'http://bow.loc/web/libs/ckfinder2/';
$finder->Create();

But for it work I need to make changes in config.php file:

<?php

session_start();

/**
 * This function must check the user session to be sure that he/she is
 * authorized to upload and access files in the File Browser.
 *
 * @return boolean
 */
function CheckAuthentication()
{
    // WARNING : DO NOT simply return "true". By doing so, you are allowing
    // "anyone" to upload and list the files in your server. You must implement
    // some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];
    return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    // user logs in your system. To be able to use session variables don't
    // forget to add session_start() at the top of this file.

    return FALSE;
}

// other code...

And I don't want simply return TRUE for security reasons, I want to use SESSION. But the problem is that I can't to do this, because $finder->Create(); method return HTML code that openning in a the IFRAME ckfinder.html page directly, so session in my framework and session in CKFinder is different and return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized']; return FALSE! So my question is:

How can I pass session with user auth from my framework to the CKFinder and to do security validation in it for authorized user? Thanks very much for help!

Solution

For secure CKFinder, you need to add to the action:

$this->getRequest()->getSession()->set('AllowCKFinder', TRUE); // Allow to use CKFinder

And then modify the config.php file of CKFinder with next code:

function CheckAuthentication()
{
    session_start();
    $status = FALSE;
    $file = dirname(__FILE__) .'/../../../app/cache/prod/sessions/sess_'. session_id();
    if (file_exists($file)) {
        $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
    }
    if ( ! $status) {
        $file = dirname(__FILE__) .'/../../../app/cache/dev/sessions/sess_'. session_id();
        if (file_exists($file)) {
            $status = (bool)preg_match('/AllowCKFinder/i', file_get_contents($file));
        }
    }

    return $status;

    // WARNING : DO NOT simply return "true". By doing so, you are allowing
    // "anyone" to upload and list the files in your server. You must implement
    // some kind of session validation here. Even something very simple as...

    // return isset($_SESSION['IsAuthorized']) && $_SESSION['IsAuthorized'];

    // ... where $_SESSION['IsAuthorized'] is set to "true" as soon as the
    // user logs in your system. To be able to use session variables don't
    // forget to add session_start() at the top of this file.

    return false;
}

Original post here

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow