clones/friendica
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Improved "remember me" functionality

This commit is contained in:
Michael Vogel 2016-04-25 00:02:43 +02:00 committed by Roland Haeder
parent 829e7ace06
commit da7040efd4
No known key found for this signature in database
GPG Key ID: B72F8185C6C7BD78
1 changed files with 36 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
include/auth.php
View File

@ -10,6 +10,30 @@ function nuke_session() {
session_unset(); session_unset();
} }
// When the "Friendica" cookie is set, take the value to authenticate and renew the cookie.
if(isset($_COOKIE["Friendica"])) {
$data = json_decode($_COOKIE["Friendica"]);
if (isset($data->uid)) {
$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
FROM `user` WHERE `uid` = %d AND `blocked` = 0 AND `account_expired` = 0 AND `account_removed` = 0 AND `verified` = 1 LIMIT 1",
intval($data->uid)
);
if ($r) {
// Renew the cookie
new_cookie(604800, json_encode(array("uid" => $r[0]["uid"], "ip" => $_SERVER['REMOTE_ADDR'])));
// Do the authentification if not done by now
if(!isset($_SESSION) OR !isset($_SESSION['authenticated'])) {
authenticate_success($r[0], false, false, false);
if (get_config('system','paranoia'))
$_SESSION['addr'] = $data->ip;
}
}
}
}
// login/logout // login/logout
@ -155,30 +179,20 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
$record = $r[0]; $record = $r[0];
} }
if((! $record) || (! count($record))) { if (!$record || !count($record)) {
logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']); logger('authenticate: failed login attempt: ' . notags(trim($_POST['username'])) . ' from IP ' . $_SERVER['REMOTE_ADDR']);
notice( t('Login failed.') . EOL ); notice( t('Login failed.') . EOL );
goaway(z_root()); goaway(z_root());
} }
// If the user specified to remember the authentication, then change the cookie // If the user specified to remember the authentication, then set a cookie
// to expire after one year (the default is when the browser is closed). // that expires after one week (the default is when the browser is closed).
// If the user did not specify to remember, change the cookie to expire when the // The cookie will be renewed automatically.
// browser is closed. The reason this is necessary is because if the user // The week ensures that sessions will expire after some inactivity.
// specifies to remember, then logs out and logs back in without specifying to if($_POST['remember'])
// remember, the old "remember" cookie may remain and prevent the session from new_cookie(604800, json_encode(array("uid" => $r[0]["uid"], "ip" => $_SERVER['REMOTE_ADDR'])));
// expiring when the browser is closed. else
//
// It seems like I should be able to test for the old cookie, but for some reason when
// I read the lifetime value from session_get_cookie_params(), I always get '0'
// (i.e. expire when the browser is closed), even when there's a time expiration
// on the cookie
if($_POST['remember']) {
new_cookie(31449600); // one year
}
else {
new_cookie(0); // 0 means delete on browser exit new_cookie(0); // 0 means delete on browser exit
}
// if we haven't failed up this point, log them in. // if we haven't failed up this point, log them in.
@ -187,12 +201,12 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
} }
} }
function new_cookie($time) { function new_cookie($time, $value = "") {
if ($time != 0) if ($time != 0)
$time = $time + time(); $time = $time + time();
$params = session_get_cookie_params(); setcookie("Friendica", $value, $time);
setcookie(session_name(), session_id(), $time, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
return; return;
} }