Changeset 1622
- Timestamp:
- Dec 1, 2006, 1:48:49 AM (17 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/functions_user.inc.php
r1605 r1622 629 629 } 630 630 631 /** 632 * returns the auto login key or false on error 633 * @param int user_id 634 */ 635 function calculate_auto_login_key($user_id) 636 { 637 global $conf; 638 $query = ' 639 SELECT '.$conf['user_fields']['username'].' AS username 640 , '.$conf['user_fields']['password'].' AS password 641 FROM '.USERS_TABLE.' 642 WHERE '.$conf['user_fields']['id'].' = '.$user_id; 643 $result = pwg_query($query); 644 if (mysql_num_rows($result) > 0) 645 { 646 $row = mysql_fetch_assoc($result); 647 $key = sha1( $row['username'].$row['password'] ); 648 return $key; 649 } 650 return false; 651 } 652 631 653 /* 632 654 * Performs all required actions for user login … … 641 663 if ($remember_me) 642 664 { 643 // search for an existing auto_login_key 644 $query = ' 645 SELECT auto_login_key 646 FROM '.USERS_TABLE.' 647 WHERE '.$conf['user_fields']['id'].' = '.$user_id.' 648 ;'; 649 650 $auto_login_key = current(mysql_fetch_assoc(pwg_query($query))); 651 if (empty($auto_login_key)) 652 { 653 $auto_login_key = base64_encode(md5(uniqid(rand(), true))); 654 $query = ' 655 UPDATE '.USERS_TABLE.' 656 SET auto_login_key=\''.$auto_login_key.'\' 657 WHERE '.$conf['user_fields']['id'].' = '.$user_id.' 658 ;'; 659 pwg_query($query); 660 } 661 $cookie = array('id' => $user_id, 'key' => $auto_login_key); 662 setcookie($conf['remember_me_name'], 663 serialize($cookie), 664 time()+$conf['remember_me_length'], 665 cookie_path() 665 $key = calculate_auto_login_key($user_id); 666 if ($key!==false) 667 { 668 $cookie = array('id' => (int)$user_id, 'key' => $key); 669 setcookie($conf['remember_me_name'], 670 serialize($cookie), 671 time()+$conf['remember_me_length'], 672 cookie_path() 666 673 ); 674 } 667 675 } 668 676 else … … 671 679 } 672 680 if ( session_id()!="" ) 673 { // this can happpen when the session is expired and auto_login 681 { // we regenerate the session for security reasons 682 // see http://www.acros.si/papers/session_fixation.pdf 674 683 session_regenerate_id(); 675 684 } … … 678 687 session_start(); 679 688 } 680 $_SESSION['pwg_uid'] = $user_id;689 $_SESSION['pwg_uid'] = (int)$user_id; 681 690 682 691 $user['id'] = $_SESSION['pwg_uid']; … … 692 701 if ( isset( $_COOKIE[$conf['remember_me_name']] ) ) 693 702 { 694 // must remove slash added in include/common.inc.php695 703 $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']])); 696 697 $query = ' 698 SELECT auto_login_key 699 FROM '.USERS_TABLE.' 700 WHERE '.$conf['user_fields']['id'].' = '.$cookie['id'].' 701 ;'; 702 703 $auto_login_key = current(mysql_fetch_assoc(pwg_query($query))); 704 if ($auto_login_key == $cookie['key']) 705 { 706 log_user($cookie['id'], true); 707 return true; 708 } 709 else 710 { 711 setcookie($conf['remember_me_name'], '', 0, cookie_path()); 712 } 704 if ($cookie!==false) 705 { 706 $key = calculate_auto_login_key($cookie['id']); 707 if ($key!==false and $key===$cookie['key']) 708 { 709 log_user($cookie['id'], true); 710 return true; 711 } 712 } 713 setcookie($conf['remember_me_name'], '', 0, cookie_path()); 713 714 } 714 715 return false; -
trunk/install/phpwebgallery_structure.sql
r1584 r1622 360 360 `password` varchar(32) default NULL, 361 361 `mail_address` varchar(255) default NULL, 362 `auto_login_key` varchar(64) default NULL,363 362 PRIMARY KEY (`id`), 364 363 UNIQUE KEY `users_ui1` (`username`)
Note: See TracChangeset
for help on using the changeset viewer.