diff options
author | Dan McGee <dan@archlinux.org> | 2011-03-01 09:24:34 -0600 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-03-04 10:29:13 +0100 |
commit | 984ce9529c926c884136780d017ae90f0b82b54b (patch) | |
tree | 1c8019f8153798848c279f9e1e660b83ed6c8de2 | |
parent | 90485e8f422cec6d23af38574a53705fa7de008b (diff) |
Improve cookie handling
* Remove comment that is mostly bogus- the domain is automatically set.
* When logging out, don't delete the language cookie.
* Make the language cookie persistent.
* Use the minimal time possible to expire cookies; no need to compute
anything.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/html/logout.php | 5 | ||||
-rw-r--r-- | web/lib/aur.inc | 20 |
2 files changed, 11 insertions, 14 deletions
diff --git a/web/html/logout.php b/web/html/logout.php index 14c652e..95cf460 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -14,8 +14,9 @@ if (isset($_COOKIE["AURSID"])) { $q = "DELETE FROM Sessions WHERE SessionID = '"; $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); - setcookie("AURSID", "", time() - (60*60*24*30), "/"); - setcookie("AURLANG", "", time() - (60*60*24*30), "/"); + # setting expiration to 1 means '1 second after midnight January 1, 1970' + setcookie("AURSID", "", 1, "/"); + unset($_COOKIE['AURSID']); } clear_expired_sessions(); diff --git a/web/lib/aur.inc b/web/lib/aur.inc index acf6a40..e7aaa1f 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -12,12 +12,6 @@ include_once("config.inc"); include_once("version.inc"); include_once("acctfuncs.inc"); -# TODO do we need to set the domain on cookies? I seem to remember some -# security concerns about not using domains - but it's not like -# we really care if another site can see what language/SID a user -# is using... - - # see if the visitor is already logged in # function check_sid() { @@ -48,18 +42,16 @@ function check_sid() { # clear out the hacker's cookie, and send them to a naughty page # why do you have to be so harsh on these people!? # - setcookie("AURSID", "", time() - (60*60*24*30), "/"); + setcookie("AURSID", "", 1, "/"); unset($_COOKIE['AURSID']); } elseif ($failed == 2) { - # visitor's session id either doesn't exist, or the timeout - # was reached and they must login again, send them back to - # the main page where they can log in again. + # session id timeout was reached and they must login again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); - setcookie("AURSID", "", time() - (60*60*24*30), "/"); + setcookie("AURSID", "", 1, "/"); unset($_COOKIE['AURSID']); } else { # still logged in and haven't reached the timeout, go ahead @@ -257,6 +249,7 @@ function set_lang() { global $_t; global $LANG; global $SUPPORTED_LANGS; + global $PERSISTENT_COOKIE_TIMEOUT; $update_cookie = 0; if (isset($_REQUEST['setlang'])) { @@ -271,6 +264,8 @@ function set_lang() { $LANG = $_COOKIE['AURLANG']; } elseif (isset($_COOKIE["AURSID"])) { + # No language but a session; use default lang preference + # $dbh = db_connect(); $q = "SELECT LangPreference FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; @@ -291,7 +286,8 @@ function set_lang() { } if ($update_cookie) { - setcookie("AURLANG", $LANG, 0, "/"); + $cookie_time = time() + $PERSISTENT_COOKIE_TIMEOUT; + setcookie("AURLANG", $LANG, $cookie_time, "/"); } if ($LANG != "en" ) { |