>From 8b461c1d4c0fbc4f8c51522ccbb7677756ad5abb Mon Sep 17 00:00:00 2001
From: Loui Chang <[EMAIL PROTECTED]>
Date: Thu, 13 Nov 2008 18:51:43 -0500
Subject: [PATCH] Make remembered sessions actually save themselves.
Clean up a notice in index.php
Signed-off-by: Loui Chang <[EMAIL PROTECTED]>
---
web/html/index.php | 5 +++--
web/lib/acctfuncs.inc | 15 ++++++++++++---
web/lib/aur.inc | 17 +++++++++++++----
3 files changed, 28 insertions(+), 9 deletions(-)
diff --git a/web/html/index.php b/web/html/index.php
index c7847f2..a712e4d 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -11,6 +11,7 @@ set_lang();
check_sid();
html_header( __("Home") );
+
$dbh = db_connect();
?>
@@ -56,8 +57,8 @@ echo __(
</td>
<td class='boxSoft' valign='top'>
<?php
-$user = username_from_sid($_COOKIE["AURSID"]);
-if (!empty($user)) {
+if (!empty($_COOKIE["AURSID"])) {
+ $user = username_from_sid($_COOKIE["AURSID"]);
user_table($user, $dbh);
echo '<br />';
}
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index d0b6b0a..b43e0be 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -632,24 +632,33 @@ function try_login() {
$q = "INSERT INTO Sessions (UsersID, SessionID,
LastUpdateTS)"
." VALUES ( $userID, '" . $new_sid . "',
UNIX_TIMESTAMP())";
$result = db_query($q, $dbh);
+
# Query will fail if $new_sid is not unique
- #
if ($result) {
$logged_in = 1;
break;
}
+
$num_tries++;
}
+
if ($logged_in) {
# set our SID cookie
- if ($_POST['remember_me'] == "on")
+ if ($_POST['remember_me'] == "on") {
# Set cookies for 30 days.
$cookie_time = time() + (60 * 60 * 24 *
30);
+
+ # Set session for 30 days.
+ $q = "UPDATE Sessions SET LastUpdateTS
= $cookie_time ";
+ $q.= "WHERE SessionID = '$new_sid'";
+ db_query($q, $dbh);
+ }
else
$cookie_time = 0;
+
+ echo "$new_sid:$cookie_time";
setcookie("AURSID", $new_sid, $cookie_time,
"/");
-# header("Location: /index.php");
header("Location: " .
$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
$login_error = "";
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index d08ff0c..e43ddf6 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -86,10 +86,12 @@ function check_sid() {
$failed = 1;
} else {
$row = mysql_fetch_row($result);
- if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) {
+ $last_update = $row[0];
+ if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
$failed = 2;
}
}
+
if ($failed == 1) {
# clear out the hacker's cookie, and send them to a
naughty page
# why do you have to be so harsh on these people!?
@@ -110,10 +112,17 @@ function check_sid() {
} else {
# still logged in and haven't reached the timeout, go
ahead
# and update the idle timestamp
+
+ # Only update the timestamp if it is less than the
+ # current time plus $LOGIN_TIMEOUT.
#
- $q = "UPDATE Sessions SET LastUpdateTS =
UNIX_TIMESTAMP() ";
- $q.= "WHERE SessionID =
'".mysql_real_escape_string($_COOKIE["AURSID"])."'";
- db_query($q, $dbh);
+ # This keeps 'remembered' sessions from being
+ # overwritten.
+ if ($last_update < time() + $LOGIN_TIMEOUT) {
+ $q = "UPDATE Sessions SET LastUpdateTS =
UNIX_TIMESTAMP() ";
+ $q.= "WHERE SessionID =
'".mysql_real_escape_string($_COOKIE["AURSID"])."'";
+ db_query($q, $dbh);
+ }
}
}
return;
--
1.6.0.4
