>From 8b461c1d4c0fbc4f8c51522ccbb7677756ad5abb Mon Sep 17 00:00:00 2001 From: Loui Chang Date: Thu, 13 Nov 2008 18:51:43 -0500 Subject: [PATCH] Make remembered sessions actually save themselves. Clean up a notice in index.php Signed-off-by: Loui Chang --- web/html/index.php | 5 +++-- web/lib/acctfuncs.inc | 15 ++++++++++++--- web/lib/aur.inc | 17 +++++++++++++---- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/web/html/index.php b/web/html/index.php index c7847f2..a712e4d 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -11,6 +11,7 @@ set_lang(); check_sid(); html_header( __("Home") ); + $dbh = db_connect(); ?> @@ -56,8 +57,8 @@ echo __( '; } diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index d0b6b0a..b43e0be 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -632,24 +632,33 @@ function try_login() { $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)" ." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())"; $result = db_query($q, $dbh); + # Query will fail if $new_sid is not unique - # if ($result) { $logged_in = 1; break; } + $num_tries++; } + if ($logged_in) { # set our SID cookie - if ($_POST['remember_me'] == "on") + if ($_POST['remember_me'] == "on") { # Set cookies for 30 days. $cookie_time = time() + (60 * 60 * 24 * 30); + + # Set session for 30 days. + $q = "UPDATE Sessions SET LastUpdateTS = $cookie_time "; + $q.= "WHERE SessionID = '$new_sid'"; + db_query($q, $dbh); + } else $cookie_time = 0; + + echo "$new_sid:$cookie_time"; setcookie("AURSID", $new_sid, $cookie_time, "/"); -# header("Location: /index.php"); header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = ""; diff --git a/web/lib/aur.inc b/web/lib/aur.inc index d08ff0c..e43ddf6 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -86,10 +86,12 @@ function check_sid() { $failed = 1; } else { $row = mysql_fetch_row($result); - if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) { + $last_update = $row[0]; + if ($last_update + $LOGIN_TIMEOUT <= $row[1]) { $failed = 2; } } + if ($failed == 1) { # clear out the hacker's cookie, and send them to a naughty page # why do you have to be so harsh on these people!? @@ -110,10 +112,17 @@ function check_sid() { } else { # still logged in and haven't reached the timeout, go ahead # and update the idle timestamp + + # Only update the timestamp if it is less than the + # current time plus $LOGIN_TIMEOUT. # - $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; - $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'"; - db_query($q, $dbh); + # This keeps 'remembered' sessions from being + # overwritten. + if ($last_update < time() + $LOGIN_TIMEOUT) { + $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; + $q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'"; + db_query($q, $dbh); + } } } return; -- 1.6.0.4