diff options
author | Evan Prodromou <evan@prodromou.name> | 2008-12-09 12:04:13 -0500 |
---|---|---|
committer | Evan Prodromou <evan@prodromou.name> | 2008-12-09 12:04:13 -0500 |
commit | ed440c734e45de01183d885e8750c173fc20a726 (patch) | |
tree | b9f646f569042a5cf2dc79d0df7a347d88cb881d /lib | |
parent | a61c7546c896bb8df4b1ce6cf864b128d7fe0ecc (diff) |
better error reporting for rememberme cookie handling
rememberme cookies are probably the most complained-about parts of the
system. We use "weak", one-use, low-info cookies that don't allow
changing settings like passwords or email addresses.
This change adds some better error-reporting to the rememberme
function. Hopefully we'll find out if there are other rm problem.
darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz
Diffstat (limited to 'lib')
-rw-r--r-- | lib/util.php | 84 |
1 files changed, 58 insertions, 26 deletions
diff --git a/lib/util.php b/lib/util.php index 259ea7a96..0e0198ee3 100644 --- a/lib/util.php +++ b/lib/util.php @@ -620,33 +620,65 @@ function common_rememberme($user=NULL) { } function common_remembered_user() { + $user = NULL; - # Try to remember - $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : ''; - if ($packed) { - list($id, $code) = explode(':', $packed); - if ($id && $code) { - $rm = Remember_me::staticGet($code); - if ($rm && ($rm->user_id == $id)) { - $user = User::staticGet($rm->user_id); - if ($user) { - # successful! - $result = $rm->delete(); - if (!$result) { - common_log_db_error($rm, 'DELETE', __FILE__); - $user = NULL; - } else { - common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code); - common_set_user($user->nickname); - common_real_login(false); - # We issue a new cookie, so they can log in - # automatically again after this session - common_rememberme($user); - } - } - } - } - } + + $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL; + + if (!$packed) { + return NULL; + } + + list($id, $code) = explode(':', $packed); + + if (!$id || !$code) { + common_warning('Malformed rememberme cookie: ' . $packed); + common_forgetme(); + return NULL; + } + + $rm = Remember_me::staticGet($code); + + if (!$rm) { + common_warning('No such remember code: ' . $code); + common_forgetme(); + return NULL; + } + + if ($rm->user_id != $id) { + common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id); + common_forgetme(); + return NULL; + } + + $user = User::staticGet($rm->user_id); + + if (!$user) { + common_warning('No such user for rememberme: ' . $rm->user_id); + common_forgetme(); + return NULL; + } + + # successful! + $result = $rm->delete(); + + if (!$result) { + common_log_db_error($rm, 'DELETE', __FILE__); + common_warning('Could not delete rememberme: ' . $code); + common_forgetme(); + return NULL; + } + + common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code); + + common_set_user($user->nickname); + common_real_login(false); + + # We issue a new cookie, so they can log in + # automatically again after this session + + common_rememberme($user); + return $user; } |