We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 29d6ee4d authored by elleo's avatar elleo

Add 'Remember me option' (fixes bug #26264, thanks to Piotr Szulawski)

Use a cookie for storing authentication token instead of sessions (sessions can't reliably have their expiration time extended without globally modifying the php ini file)
Rename $u_user to $this_user for better clarity
Change all uses of $_SESSION['user'] to the existing '$this_user' variable (and reduces the risk of stale user data being used for stuff)
Remove sessions altogether, since they're no longer being used for anything (they can be added back if anyone really wants them for something, but be aware that you'll have to recreate your session in auth.php, not just create it at login, since the PHP session is likely to expire a long time before the user's authentication token)
parent 3df1b9c5
...@@ -21,19 +21,20 @@ ...@@ -21,19 +21,20 @@
require_once('database.php'); require_once('database.php');
require_once('data/User.php'); require_once('data/User.php');
session_start(); session_start();
if(isset($_SESSION['session_id'])) { if(isset($_COOKIE['session_id'])) {
$res = $mdb2->query('SELECT username FROM Scrobble_Sessions WHERE ' $res = $mdb2->query('SELECT username FROM Scrobble_Sessions WHERE '
. 'sessionid = ' . $mdb2->quote($_SESSION['session_id'], 'text') . 'sessionid = ' . $mdb2->quote($_COOKIE['session_id'], 'text')
. ' AND expires > ' . $mdb2->quote(time(), 'integer')); . ' AND expires > ' . $mdb2->quote(time(), 'integer'));
if(PEAR::isError ($res) || !$res->numRows()) { if(PEAR::isError ($res) || !$res->numRows()) {
// Session is invalid // Session is invalid
unset($_SESSION['session_id']); setcookie('session_id', '', time() - 3600);
session_unset();
session_destroy();
} else { } else {
$logged_in = true; $logged_in = true;
$row = $res->fetchRow(MDB2_FETCHMODE_ASSOC); $row = $res->fetchRow(MDB2_FETCHMODE_ASSOC);
$u_user = new User($row['username']); $this_user = new User($row['username']);
} }
} }
?> ?>
...@@ -37,8 +37,7 @@ if ($_REQUEST['group']=='new') ...@@ -37,8 +37,7 @@ if ($_REQUEST['group']=='new')
{ {
if ($_REQUEST['new']) if ($_REQUEST['new'])
{ {
$owner = new User($_SESSION['user']->name); Group::create($_REQUEST['new'], $this_user);
Group::create($_REQUEST['new'], $owner);
header("Location: {$base_url}/edit_group.php?group=".$_REQUEST['new']); header("Location: {$base_url}/edit_group.php?group=".$_REQUEST['new']);
exit; exit;
} }
...@@ -57,7 +56,7 @@ if ($_REQUEST['group']=='new') ...@@ -57,7 +56,7 @@ if ($_REQUEST['group']=='new')
$group = new Group($_REQUEST['group']); $group = new Group($_REQUEST['group']);
if ($group->owner->name != $_SESSION['user']->name) if ($group->owner->name != $this_user->name)
{ {
$smarty->assign('error', 'Error!'); $smarty->assign('error', 'Error!');
$smarty->assign('details', 'You don\'t own this group!'); $smarty->assign('details', 'You don\'t own this group!');
......
...@@ -47,12 +47,12 @@ if (! $_GET['group']) ...@@ -47,12 +47,12 @@ if (! $_GET['group'])
$group = new Group($_GET['group']); $group = new Group($_GET['group']);
if ($_GET['action'] && $_SESSION['user']->name) if ($_GET['action'] && isset($this_user))
{ {
if ($_GET['action'] == 'join') if ($_GET['action'] == 'join')
$group->memberJoin($_SESSION['user']); $group->memberJoin($this_user);
elseif ($_GET['action'] == 'leave') elseif ($_GET['action'] == 'leave')
$group->memberLeave($_SESSION['user']); $group->memberLeave($this_user);
header("Location: " . $group->getURL()); header("Location: " . $group->getURL());
exit; exit;
...@@ -75,8 +75,8 @@ if(isset($group->name)) { ...@@ -75,8 +75,8 @@ if(isset($group->name)) {
$smarty->assign('userlist', $group->getUsers()); $smarty->assign('userlist', $group->getUsers());
$smarty->assign('ismember', $group->memberCheck($_SESSION['user'])); $smarty->assign('ismember', $group->memberCheck($this_user));
$smarty->assign('isowner', ($group->owner->name==$_SESSION['user']->name)); $smarty->assign('isowner', ($group->owner->name==$this_user->name));
$smarty->assign('link_join', $group->getURLAction('join')); $smarty->assign('link_join', $group->getURLAction('join'));
$smarty->assign('link_leave', $group->getURLAction('leave')); $smarty->assign('link_leave', $group->getURLAction('leave'));
$smarty->assign('link_edit', $base_url.'/edit_group.php?group='.$group->name); $smarty->assign('link_edit', $base_url.'/edit_group.php?group='.$group->name);
......
...@@ -24,10 +24,9 @@ require_once('database.php'); ...@@ -24,10 +24,9 @@ require_once('database.php');
require_once('templating.php'); require_once('templating.php');
require_once($install_path . '/data/User.php'); require_once($install_path . '/data/User.php');
if(isset($_SESSION['session_id']) && $_GET['action'] == 'logout') { if(isset($_COOKIE['session_id']) && $_GET['action'] == 'logout') {
session_unset(); setcookie('session_id', '', time() - 3600);
session_destroy(); header('Location: index.php');
header('Location: index.php');
} }
if(isset($_POST['login'])) { if(isset($_POST['login'])) {
...@@ -35,6 +34,7 @@ if(isset($_POST['login'])) { ...@@ -35,6 +34,7 @@ if(isset($_POST['login'])) {
$errors = ''; $errors = '';
$username = $_POST['username']; $username = $_POST['username'];
$password = $_POST['password']; $password = $_POST['password'];
$remember = $_POST['remember'];
if(empty($username)) { if(empty($username)) {
$errors .= 'You must enter a username.<br />'; $errors .= 'You must enter a username.<br />';
...@@ -52,25 +52,23 @@ if(isset($_POST['login'])) { ...@@ -52,25 +52,23 @@ if(isset($_POST['login'])) {
} else { } else {
// Give the user a session id, like any other client // Give the user a session id, like any other client
$session_id = md5(md5($password) . time()); $session_id = md5(md5($password) . time());
if(isset($remember)){
$session_time = time() + 31536000; // 1 year
} else {
$session_time = time() + 86400; // 1 day
}
$mdb2->query('INSERT INTO Scrobble_Sessions (username, sessionid, expires) VALUES (' $mdb2->query('INSERT INTO Scrobble_Sessions (username, sessionid, expires) VALUES ('
. $mdb2->quote($username, 'text') . ', ' . $mdb2->quote($username, 'text') . ', '
. $mdb2->quote($session_id, 'text') . ', ' . $mdb2->quote($session_id, 'text') . ', '
. $mdb2->quote( time() + 604800, 'integer') . ')'); . $mdb2->quote($session_time, 'integer') . ')');
setcookie('session_id', $session_id, $session_time);
$logged_in = true; $logged_in = true;
$smarty->assign('logged_in', true);
$_SESSION['user'] = new User($username);
$_SESSION['session_id'] = $session_id;
$smarty->assign('user', $_SESSION['user']);
} }
} }
} }
if(isset($logged_in) && $logged_in) { if(isset($logged_in) && $logged_in) {
// Send the user to the welcome page when they've logged in
//$smarty->display('welcome.tpl');
// Check that return URI is on this server. Prevents possible phishing uses. // Check that return URI is on this server. Prevents possible phishing uses.
if ( substr($_POST['return'], 0, 1) == '/' ) if ( substr($_POST['return'], 0, 1) == '/' )
{ header(sprintf('Location: http://%s%s', $_SERVER['SERVER_NAME'], $_POST['return'])); } { header(sprintf('Location: http://%s%s', $_SERVER['SERVER_NAME'], $_POST['return'])); }
......
...@@ -38,8 +38,8 @@ $smarty->assign('this_page_absolute', ...@@ -38,8 +38,8 @@ $smarty->assign('this_page_absolute',
if(isset($logged_in)) { if(isset($logged_in)) {
$smarty->assign('logged_in', true); $smarty->assign('logged_in', true);
// Pre-fix this user's details with u to avoid confusion with other users // Pre-fix this user's details with 'this_' to avoid confusion with other users
$smarty->assign('u_user', $u_user); $smarty->assign('this_user', $this_user);
} }
header("Content-Type: text/html; charset=utf-8"); header("Content-Type: text/html; charset=utf-8");
......
...@@ -11,8 +11,8 @@ ...@@ -11,8 +11,8 @@
{/section} {/section}
]; ];
{if isset($u_user)} {if isset($this_user)}
playerInit(playlist, "{$u_user->getScrobbleSession()}", false); playerInit(playlist, "{$this_user->getScrobbleSession()}", false);
{else} {else}
playerInit(playlist, false, false); playerInit(playlist, false, false);
{/if} {/if}
......
...@@ -3,12 +3,12 @@ ...@@ -3,12 +3,12 @@
<h2>Listen</h2><br /> <h2>Listen</h2><br />
{if isset($station)} {if isset($station)}
{if isset($u_user)} {if isset($this_user)}
{include file='player.tpl'} {include file='player.tpl'}
<div id='error'></div> <div id='error'></div>
<script type="text/javascript"> <script type="text/javascript">
{if isset($u_user)} {if isset($this_user)}
playerInit(false, "{$u_user->getScrobbleSession()}", "{$u_user->getRadioSession($station)}"); playerInit(false, "{$this_user->getScrobbleSession()}", "{$this_user->getRadioSession($station)}");
{/if} {/if}
</script> </script>
{else} {else}
......
...@@ -14,9 +14,13 @@ ...@@ -14,9 +14,13 @@
<label for='password'>Password<span>&nbsp;</span></label> <label for='password'>Password<span>&nbsp;</span></label>
<input id='password' name='password' type='password' value=''/> <input id='password' name='password' type='password' value=''/>
<label for='remember'>Remember me<span>&nbsp;</span></label>
<input id='remember' name='remember' type='checkbox' value='1'/>
<input type='submit' name='login' value='Let me in!' /> <input type='submit' name='login' value='Let me in!' />
<input name="return" type="hidden" value="{$return|htmlentities}" /> <input name="return" type="hidden" value="{$return|htmlentities}" />
</fieldset> </fieldset>
</form> </form>
......
<ul> <ul>
{if ($logged_in)} {if ($logged_in)}
<li><a href="{$u_user->getURL()}">{$u_user->name}</a></li> <li><a href="{$this_user->getURL()}">{$this_user->name}</a></li>
{else} {else}
<li><a href="{$base_url}/register.php">Register</a></li> <li><a href="{$base_url}/register.php">Register</a></li>
{/if} {/if}
{if ($logged_in)} {if ($logged_in)}
{if $u_user->userlevel > 0} {if $this_user->userlevel > 0}
<li><a href="/admin.php">admin</a></li> <li><a href="/admin.php">admin</a></li>
{/if} {/if}
<li><a href="{$base_url}/login.php?action=logout">Logout</a></li> <li><a href="{$base_url}/login.php?action=logout">Logout</a></li>
......
...@@ -5,8 +5,8 @@ ...@@ -5,8 +5,8 @@
{include file='player.tpl'} {include file='player.tpl'}
<script type="text/javascript"> <script type="text/javascript">
var playlist = [{ldelim}"artist" : "{$track->artist_name}", "album" : "{$track->album_name}", "track" : "{$track->name}", "url" : "{$track->streamurl}"{rdelim}]; var playlist = [{ldelim}"artist" : "{$track->artist_name}", "album" : "{$track->album_name}", "track" : "{$track->name}", "url" : "{$track->streamurl}"{rdelim}];
{if isset($u_user)} {if isset($this_user)}
playerInit(playlist, "{$u_user->getScrobbleSession()}", false); playerInit(playlist, "{$this_user->getScrobbleSession()}", false);
{else} {else}
playerInit(playlist, false, false); playerInit(playlist, false, false);
{/if} {/if}
......
...@@ -32,9 +32,6 @@ if($logged_in == false) ...@@ -32,9 +32,6 @@ if($logged_in == false)
die(); die();
} }
# Doesn't seem to work - $user = $_SESSION['user'];
$user = new User($_SESSION['user']->name);
$errors = array(); $errors = array();
if ($_POST['submit']) if ($_POST['submit'])
...@@ -107,22 +104,22 @@ if ($_POST['submit']) ...@@ -107,22 +104,22 @@ if ($_POST['submit'])
{ {
# Currently we don't allow them to change e-mail as we probably should # Currently we don't allow them to change e-mail as we probably should
# have some kind of confirmation login to do so. # have some kind of confirmation login to do so.
$user->id = $_POST['id']; $this_user->id = $_POST['id'];
$user->fullname = $_POST['fullname']; $this_user->fullname = $_POST['fullname'];
$user->homepage = $_POST['homepage']; $this_user->homepage = $_POST['homepage'];
$user->bio = $_POST['bio']; $this_user->bio = $_POST['bio'];
$user->location = $_POST['location']; $this_user->location = $_POST['location'];
$user->location_uri = $_POST['location_uri']; $this_user->location_uri = $_POST['location_uri'];
$user->avatar_uri = $_POST['avatar_uri']; $this_user->avatar_uri = $_POST['avatar_uri'];
$user->laconica_profile = $_POST['laconica_profile']; $this_user->laconica_profile = $_POST['laconica_profile'];
$user->journal_rss = $_POST['journal_rss']; $this_user->journal_rss = $_POST['journal_rss'];
if (!empty( $_POST['password_1'] )) if (!empty( $_POST['password_1'] ))
$user->password = md5($_POST['password_1']); $user->password = md5($_POST['password_1']);
$user->save(); $this_user->save();
header("Location: " . $user->getURL()); header("Location: " . $this_user->getURL());
exit; exit;
} }
...@@ -134,18 +131,18 @@ if ($_POST['submit']) ...@@ -134,18 +131,18 @@ if ($_POST['submit'])
} }
} }
if(isset($user->name)) if(isset($this_user->name))
{ {
# Stuff which cannot be changed. # Stuff which cannot be changed.
$smarty->assign("acctid", $user->acctid); $smarty->assign("acctid", $this_user->acctid);
$smarty->assign('avatar', $user->getAvatar()); $smarty->assign('avatar', $this_user->getAvatar());
$smarty->assign('user', $user->name); $smarty->assign('user', $this_user->name);
# Stuff which cannot be changed *here* # Stuff which cannot be changed *here*
$smarty->assign('userlevel', $user->userlevel); $smarty->assign('userlevel', $this_user->userlevel);
# Stuff which cannot be changed *yet* # Stuff which cannot be changed *yet*
$smarty->assign('email', $user->email); $smarty->assign('email', $this_user->email);
if ($_POST['submit']) if ($_POST['submit'])
{ {
...@@ -161,15 +158,15 @@ if(isset($user->name)) ...@@ -161,15 +158,15 @@ if(isset($user->name))
} }
else else
{ {
$smarty->assign("id", ($user->webid_uri)); $smarty->assign("id", ($this_user->webid_uri));
$smarty->assign('fullname', ($user->fullname)); $smarty->assign('fullname', ($this_user->fullname));
$smarty->assign('bio', ($user->bio)); $smarty->assign('bio', ($this_user->bio));
$smarty->assign('homepage', ($user->homepage)); $smarty->assign('homepage', ($this_user->homepage));
$smarty->assign('location', ($user->location)); $smarty->assign('location', ($this_user->location));
$smarty->assign('location_uri', ($user->location_uri)); $smarty->assign('location_uri', ($this_user->location_uri));
$smarty->assign('avatar_uri', ($user->avatar_uri)); $smarty->assign('avatar_uri', ($this_user->avatar_uri));
$smarty->assign('laconica_profile', ($user->laconica_profile)); $smarty->assign('laconica_profile', ($this_user->laconica_profile));
$smarty->assign('journal_rss', ($user->journal_rss)); $smarty->assign('journal_rss', ($this_user->journal_rss));
} }
# And display the page. # And display the page.
......
...@@ -70,7 +70,7 @@ $aUserTagCloud = TagCloud::GenerateTagCloud('Scrobbles', 'artist', 40, $user->n ...@@ -70,7 +70,7 @@ $aUserTagCloud = TagCloud::GenerateTagCloud('Scrobbles', 'artist', 40, $user->n
if (!PEAR::isError ($aUserTagCloud)) { if (!PEAR::isError ($aUserTagCloud)) {
$smarty->assign('user_tagcloud',$aUserTagCloud); $smarty->assign('user_tagcloud',$aUserTagCloud);
} }
$smarty->assign('isme', ($_SESSION['user']->name == $user->name)); $smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('me', $user); $smarty->assign('me', $user);
$smarty->assign('geo', Server::getLocationDetails($user->location_uri)); $smarty->assign('geo', Server::getLocationDetails($user->location_uri));
$smarty->assign('profile', true); $smarty->assign('profile', true);
......
...@@ -49,7 +49,7 @@ if(isset($user->name)) { ...@@ -49,7 +49,7 @@ if(isset($user->name)) {
if (!PEAR::isError ($aUserTagCloud)) { if (!PEAR::isError ($aUserTagCloud)) {
$smarty->assign('user_tagcloud',$aUserTagCloud); $smarty->assign('user_tagcloud',$aUserTagCloud);
} }
$smarty->assign('isme', ($_SESSION['user']->name == $user->name)); $smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('me', $user); $smarty->assign('me', $user);
$smarty->assign('profile', true); $smarty->assign('profile', true);
......
...@@ -50,7 +50,7 @@ if(isset($user->name)) { ...@@ -50,7 +50,7 @@ if(isset($user->name)) {
if (!PEAR::isError ($aUserTagCloud)) { if (!PEAR::isError ($aUserTagCloud)) {
$smarty->assign('user_tagcloud',$aUserTagCloud); $smarty->assign('user_tagcloud',$aUserTagCloud);
} }
$smarty->assign('isme', ($_SESSION['user']->name == $user->name)); $smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('me', $user); $smarty->assign('me', $user);
$smarty->assign('profile', true); $smarty->assign('profile', true);
......
...@@ -56,7 +56,7 @@ if(isset($user->name)) { ...@@ -56,7 +56,7 @@ if(isset($user->name)) {
$smarty->assign('me', $user); $smarty->assign('me', $user);
$smarty->assign('geo', Server::getLocationDetails($user->location_uri)); $smarty->assign('geo', Server::getLocationDetails($user->location_uri));
$smarty->assign('isme', ($_SESSION['user']->name == $user->name)); $smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('stats', true); $smarty->assign('stats', true);
$smarty->display('user-stats.tpl'); $smarty->display('user-stats.tpl');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment