summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorEvan Prodromou <evan@prodromou.name>2008-12-09 12:04:13 -0500
committerEvan Prodromou <evan@prodromou.name>2008-12-09 12:04:13 -0500
commited440c734e45de01183d885e8750c173fc20a726 (patch)
treeb9f646f569042a5cf2dc79d0df7a347d88cb881d /lib
parenta61c7546c896bb8df4b1ce6cf864b128d7fe0ecc (diff)
better error reporting for rememberme cookie handling
rememberme cookies are probably the most complained-about parts of the system. We use "weak", one-use, low-info cookies that don't allow changing settings like passwords or email addresses. This change adds some better error-reporting to the rememberme function. Hopefully we'll find out if there are other rm problem. darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz
Diffstat (limited to 'lib')
-rw-r--r--lib/util.php84
1 files changed, 58 insertions, 26 deletions
diff --git a/lib/util.php b/lib/util.php
index 259ea7a96..0e0198ee3 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -620,33 +620,65 @@ function common_rememberme($user=NULL) {
}
function common_remembered_user() {
+
$user = NULL;
- # Try to remember
- $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : '';
- if ($packed) {
- list($id, $code) = explode(':', $packed);
- if ($id && $code) {
- $rm = Remember_me::staticGet($code);
- if ($rm && ($rm->user_id == $id)) {
- $user = User::staticGet($rm->user_id);
- if ($user) {
- # successful!
- $result = $rm->delete();
- if (!$result) {
- common_log_db_error($rm, 'DELETE', __FILE__);
- $user = NULL;
- } else {
- common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
- common_set_user($user->nickname);
- common_real_login(false);
- # We issue a new cookie, so they can log in
- # automatically again after this session
- common_rememberme($user);
- }
- }
- }
- }
- }
+
+ $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL;
+
+ if (!$packed) {
+ return NULL;
+ }
+
+ list($id, $code) = explode(':', $packed);
+
+ if (!$id || !$code) {
+ common_warning('Malformed rememberme cookie: ' . $packed);
+ common_forgetme();
+ return NULL;
+ }
+
+ $rm = Remember_me::staticGet($code);
+
+ if (!$rm) {
+ common_warning('No such remember code: ' . $code);
+ common_forgetme();
+ return NULL;
+ }
+
+ if ($rm->user_id != $id) {
+ common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id);
+ common_forgetme();
+ return NULL;
+ }
+
+ $user = User::staticGet($rm->user_id);
+
+ if (!$user) {
+ common_warning('No such user for rememberme: ' . $rm->user_id);
+ common_forgetme();
+ return NULL;
+ }
+
+ # successful!
+ $result = $rm->delete();
+
+ if (!$result) {
+ common_log_db_error($rm, 'DELETE', __FILE__);
+ common_warning('Could not delete rememberme: ' . $code);
+ common_forgetme();
+ return NULL;
+ }
+
+ common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
+
+ common_set_user($user->nickname);
+ common_real_login(false);
+
+ # We issue a new cookie, so they can log in
+ # automatically again after this session
+
+ common_rememberme($user);
+
return $user;
}