port "remember me" from Friendica
This commit is contained in:
friendica
@@ -4,6 +4,9 @@
|
||||
require_once('include/security.php');
|
||||
|
||||
function nuke_session() {
|
||||
|
||||
new_cookie(0);
|
||||
|
||||
unset($_SESSION['authenticated']);
|
||||
unset($_SESSION['account_id']);
|
||||
unset($_SESSION['uid']);
|
||||
@@ -61,14 +64,14 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
|
||||
goaway(z_root());
|
||||
}
|
||||
|
||||
if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {
|
||||
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
|
||||
intval($_SESSION['visitor_id'])
|
||||
);
|
||||
if(count($r)) {
|
||||
$a->contact = $r[0];
|
||||
}
|
||||
}
|
||||
// if(x($_SESSION,'visitor_id') && (! x($_SESSION,'uid'))) {
|
||||
// $r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
|
||||
// intval($_SESSION['visitor_id'])
|
||||
// );
|
||||
// if(count($r)) {
|
||||
// $a->contact = $r[0];
|
||||
// }
|
||||
// }
|
||||
|
||||
if(x($_SESSION,'uid') || x($_SESSION,'account_id')) {
|
||||
|
||||
@@ -83,35 +86,30 @@ if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-p
|
||||
goaway(z_root());
|
||||
}
|
||||
|
||||
if(x($_SESSION,'account_id')) {
|
||||
$r = q("select * from account where account_id = %d limit 1",
|
||||
intval($_SESSION['account_id'])
|
||||
);
|
||||
if(count($r) && (($r[0]['account_flags'] == ACCOUNT_OK) || ($r[0]['account_flags'] == ACCOUNT_UNVERIFIED))) {
|
||||
get_app()->account = $r[0];
|
||||
authenticate_success($r[0]);
|
||||
}
|
||||
else {
|
||||
$_SESSION['account_id'] = 0;
|
||||
nuke_session();
|
||||
goaway(z_root());
|
||||
$r = q("select * from account where account_id = %d limit 1",
|
||||
intval($_SESSION['account_id'])
|
||||
);
|
||||
|
||||
if(($r) && (($r[0]['account_flags'] == ACCOUNT_OK) || ($r[0]['account_flags'] == ACCOUNT_UNVERIFIED))) {
|
||||
get_app()->account = $r[0];
|
||||
$login_refresh = false;
|
||||
if(! x($_SESSION,'last_login_date')) {
|
||||
$_SESSION['last_login_date'] = datetime_convert('UTC','UTC');
|
||||
}
|
||||
if(strcmp(datetime_convert('UTC','UTC','now - 12 hours'), $_SESSION['last_login_date']) > 0 ) {
|
||||
$_SESSION['last_login_date'] = datetime_convert();
|
||||
$login_refresh = true;
|
||||
}
|
||||
authenticate_success($r[0], false, false, false, $login_refresh);
|
||||
}
|
||||
else {
|
||||
$r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
|
||||
FROM `user` WHERE `uid` = %d AND `blocked` = 0
|
||||
AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
|
||||
intval($_SESSION['uid'])
|
||||
);
|
||||
}
|
||||
|
||||
if(! count($r)) {
|
||||
$_SESSION['account_id'] = 0;
|
||||
nuke_session();
|
||||
goaway(z_root());
|
||||
}
|
||||
|
||||
authenticate_success($r[0]);
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
|
||||
@@ -159,18 +157,6 @@ else {
|
||||
|
||||
logger('authenticate: ' . print_r(get_app()->account,true));
|
||||
|
||||
|
||||
// process normal login request
|
||||
|
||||
// $r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey`
|
||||
// FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
|
||||
// AND `password` = '%s' AND `blocked` = 0 AND `account_expired` = 0 AND `verified` = 1 LIMIT 1",
|
||||
// dbesc(trim($_POST['username'])),
|
||||
// dbesc(trim($_POST['username'])),
|
||||
// dbesc($encrypted)
|
||||
// );
|
||||
// if(count($r))
|
||||
// $record = $r[0];
|
||||
}
|
||||
|
||||
if((! $record) || (! count($record))) {
|
||||
@@ -179,9 +165,39 @@ else {
|
||||
goaway(z_root());
|
||||
}
|
||||
|
||||
// If the user specified to remember the authentication, then change the cookie
|
||||
// to expire after one year (the default is when the browser is closed).
|
||||
// If the user did not specify to remember, change the cookie to expire when the
|
||||
// browser is closed. The reason this is necessary is because if the user
|
||||
// specifies to remember, then logs out and logs back in without specifying to
|
||||
// remember, the old "remember" cookie may remain and prevent the session from
|
||||
// expiring when the browser is closed.
|
||||
//
|
||||
// It seems like I should be able to test for the old cookie, but for some reason when
|
||||
// I read the lifetime value from session_get_cookie_params(), I always get '0'
|
||||
// (i.e. expire when the browser is closed), even when there's a time expiration
|
||||
// on the cookie
|
||||
|
||||
if($_POST['remember']) {
|
||||
new_cookie(31449600); // one year
|
||||
}
|
||||
else {
|
||||
new_cookie(0); // 0 means delete on browser exit
|
||||
}
|
||||
|
||||
// if we haven't failed up this point, log them in.
|
||||
|
||||
$_SESSION['last_login_date'] = datetime_convert();
|
||||
authenticate_success($record, true, true);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
function new_cookie($time) {
|
||||
$old_sid = session_id();
|
||||
session_set_cookie_params("$time");
|
||||
session_regenerate_id(false);
|
||||
|
||||
q("UPDATE session SET sid = '%s' WHERE sid = '%s'", dbesc(session_id()), dbesc($old_sid));
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user