aboutsummaryrefslogtreecommitdiffstats
path: root/include/functions_user.inc.php
diff options
context:
space:
mode:
authorrvelices <rv-github@modusoptimus.com>2008-07-01 02:09:21 +0000
committerrvelices <rv-github@modusoptimus.com>2008-07-01 02:09:21 +0000
commitd91d0ac444a08c664d05c00a8593fc88fbb0c605 (patch)
tree7f560292f25e68b67604def548d2db595228bb94 /include/functions_user.inc.php
parent1d3706a42171b409e9d455194ee96d3fc87479a4 (diff)
- remember me cookie security improvement (the time when the cookie was generated is saved and checked in range [now-remember_me_length; now]
- tags improvements * pass to templates all fields in table #tags (handy for plugins such as type tags) * fix issue with tag letter when first letter is accentuated (utf-8) * tags are sorted on url_name instead of name (accentuated first letter chars are the same as without accent) * better use of columns in by letter display mode git-svn-id: http://piwigo.org/svn/trunk@2409 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions_user.inc.php')
-rw-r--r--include/functions_user.inc.php54
1 files changed, 17 insertions, 37 deletions
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index 58b35e541..abbff998c 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -838,32 +838,7 @@ function get_default_template()
*/
function get_default_language()
{
- global $conf;
- if (isset($conf['browser_language']) and $conf['browser_language'])
- {
- return get_browser_language();
- }
- else
- {
- return get_default_user_value('language', PHPWG_DEFAULT_LANGUAGE);
- }
-}
-
-/*
- * Returns the browser language value
- *
- */
-function get_browser_language()
-{
- $browser_language = substr($_SERVER["HTTP_ACCEPT_LANGUAGE"], 0, 2);
- foreach (get_languages() as $language_code => $language_name)
- {
- if (substr($language_code, 0, 2) == $browser_language)
- {
- return $language_code;
- }
- }
- return PHPWG_DEFAULT_LANGUAGE;
+ return get_default_user_value('language', PHPWG_DEFAULT_LANGUAGE);
}
/**
@@ -923,7 +898,6 @@ function create_user_infos($arg_id, $override_values = null)
{
$status = 'normal';
}
- $default_user['language'] = get_default_language();
$insert = array_merge(
$default_user,
@@ -974,9 +948,10 @@ SELECT name
/**
* returns the auto login key or false on error
* @param int user_id
+ * @param time_t time
* @param string [out] username
*/
-function calculate_auto_login_key($user_id, &$username)
+function calculate_auto_login_key($user_id, $time, &$username)
{
global $conf;
$query = '
@@ -989,7 +964,7 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id;
{
$row = mysql_fetch_assoc($result);
$username = $row['username'];
- $data = $row['username'].$row['password'];
+ $data = $time.$row['username'].$row['password'];
$key = base64_encode(
pack('H*', sha1($data))
.hash_hmac('md5', $data, $conf['secret_key'],true)
@@ -1011,12 +986,13 @@ function log_user($user_id, $remember_me)
if ($remember_me and $conf['authorize_remembering'])
{
- $key = calculate_auto_login_key($user_id, $username);
+ $now = time();
+ $key = calculate_auto_login_key($user_id, $now, $username);
if ($key!==false)
{
- $cookie = array('id' => (int)$user_id, 'key' => $key);
+ $cookie = $user_id.'-'.$now.'-'.$key;
setcookie($conf['remember_me_name'],
- serialize($cookie),
+ $cookie,
time()+$conf['remember_me_length'],
cookie_path()
);
@@ -1049,13 +1025,17 @@ function auto_login() {
if ( isset( $_COOKIE[$conf['remember_me_name']] ) )
{
- $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']]));
- if ($cookie!==false and is_numeric(@$cookie['id']) )
+ $cookie = explode('-', stripslashes($_COOKIE[$conf['remember_me_name']]));
+ if ( count($cookie)===3
+ and is_numeric(@$cookie[0]) /*user id*/
+ and is_numeric(@$cookie[1]) /*time*/
+ and time()-$conf['remember_me_length']<=@$cookie[1]
+ and time()>=@$cookie[1] /*cookie generated in the past*/ )
{
- $key = calculate_auto_login_key( $cookie['id'], $username );
- if ($key!==false and $key===$cookie['key'])
+ $key = calculate_auto_login_key( $cookie[0], $cookie[1], $username );
+ if ($key!==false and $key===$cookie[2])
{
- log_user($cookie['id'], true);
+ log_user($cookie[0], true);
trigger_action('login_success', $username);
return true;
}