We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit ab4989b8 authored by elleo's avatar elleo

Add 'Remember me option' (fixes bug #26264, thanks to Piotr Szulawski)

Use a cookie for storing authentication token instead of sessions (sessions can't reliably have their expiration time extended without globally modifying the php ini file)
Rename $u_user to $this_user for better clarity
Change all uses of $_SESSION['user'] to the existing '$this_user' variable (and reduces the risk of stale user data being used for stuff)
Remove sessions altogether, since they're no longer being used for anything (they can be added back if anyone really wants them for something, but be aware that you'll have to recreate your session in auth.php, not just create it at login, since the PHP session is likely to expire a long time before the user's authentication token)
parent 6cd8c236
......@@ -21,19 +21,20 @@
require_once('database.php');
require_once('data/User.php');
session_start();
if(isset($_SESSION['session_id'])) {
if(isset($_COOKIE['session_id'])) {
$res = $mdb2->query('SELECT username FROM Scrobble_Sessions WHERE '
. 'sessionid = ' . $mdb2->quote($_SESSION['session_id'], 'text')
. 'sessionid = ' . $mdb2->quote($_COOKIE['session_id'], 'text')
. ' AND expires > ' . $mdb2->quote(time(), 'integer'));
if(PEAR::isError ($res) || !$res->numRows()) {
// Session is invalid
unset($_SESSION['session_id']);
setcookie('session_id', '', time() - 3600);
session_unset();
session_destroy();
} else {
$logged_in = true;
$row = $res->fetchRow(MDB2_FETCHMODE_ASSOC);
$u_user = new User($row['username']);
$this_user = new User($row['username']);
}
}
?>
......@@ -37,8 +37,7 @@ if ($_REQUEST['group']=='new')
{
if ($_REQUEST['new'])
{
$owner = new User($_SESSION['user']->name);
Group::create($_REQUEST['new'], $owner);
Group::create($_REQUEST['new'], $this_user);
header("Location: {$base_url}/edit_group.php?group=".$_REQUEST['new']);
exit;
}
......@@ -57,7 +56,7 @@ if ($_REQUEST['group']=='new')
$group = new Group($_REQUEST['group']);
if ($group->owner->name != $_SESSION['user']->name)
if ($group->owner->name != $this_user->name)
{
$smarty->assign('error', 'Error!');
$smarty->assign('details', 'You don\'t own this group!');
......
......@@ -47,12 +47,12 @@ if (! $_GET['group'])
$group = new Group($_GET['group']);
if ($_GET['action'] && $_SESSION['user']->name)
if ($_GET['action'] && isset($this_user))
{
if ($_GET['action'] == 'join')
$group->memberJoin($_SESSION['user']);
$group->memberJoin($this_user);
elseif ($_GET['action'] == 'leave')
$group->memberLeave($_SESSION['user']);
$group->memberLeave($this_user);
header("Location: " . $group->getURL());
exit;
......@@ -75,8 +75,8 @@ if(isset($group->name)) {
$smarty->assign('userlist', $group->getUsers());
$smarty->assign('ismember', $group->memberCheck($_SESSION['user']));
$smarty->assign('isowner', ($group->owner->name==$_SESSION['user']->name));
$smarty->assign('ismember', $group->memberCheck($this_user));
$smarty->assign('isowner', ($group->owner->name==$this_user->name));
$smarty->assign('link_join', $group->getURLAction('join'));
$smarty->assign('link_leave', $group->getURLAction('leave'));
$smarty->assign('link_edit', $base_url.'/edit_group.php?group='.$group->name);
......
......@@ -24,10 +24,9 @@ require_once('database.php');
require_once('templating.php');
require_once($install_path . '/data/User.php');
if(isset($_SESSION['session_id']) && $_GET['action'] == 'logout') {
session_unset();
session_destroy();
header('Location: index.php');
if(isset($_COOKIE['session_id']) && $_GET['action'] == 'logout') {
setcookie('session_id', '', time() - 3600);
header('Location: index.php');
}
if(isset($_POST['login'])) {
......@@ -35,6 +34,7 @@ if(isset($_POST['login'])) {
$errors = '';
$username = $_POST['username'];
$password = $_POST['password'];
$remember = $_POST['remember'];
if(empty($username)) {
$errors .= 'You must enter a username.<br />';
......@@ -52,25 +52,23 @@ if(isset($_POST['login'])) {
} else {
// Give the user a session id, like any other client
$session_id = md5(md5($password) . time());
if(isset($remember)){
$session_time = time() + 31536000; // 1 year
} else {
$session_time = time() + 86400; // 1 day
}
$mdb2->query('INSERT INTO Scrobble_Sessions (username, sessionid, expires) VALUES ('
. $mdb2->quote($username, 'text') . ', '
. $mdb2->quote($session_id, 'text') . ', '
. $mdb2->quote( time() + 604800, 'integer') . ')');
. $mdb2->quote($session_time, 'integer') . ')');
setcookie('session_id', $session_id, $session_time);
$logged_in = true;
$smarty->assign('logged_in', true);
$_SESSION['user'] = new User($username);
$_SESSION['session_id'] = $session_id;
$smarty->assign('user', $_SESSION['user']);
}
}
}
if(isset($logged_in) && $logged_in) {
// Send the user to the welcome page when they've logged in
//$smarty->display('welcome.tpl');
// Check that return URI is on this server. Prevents possible phishing uses.
if ( substr($_POST['return'], 0, 1) == '/' )
{ header(sprintf('Location: http://%s%s', $_SERVER['SERVER_NAME'], $_POST['return'])); }
......
......@@ -38,8 +38,8 @@ $smarty->assign('this_page_absolute',
if(isset($logged_in)) {
$smarty->assign('logged_in', true);
// Pre-fix this user's details with u to avoid confusion with other users
$smarty->assign('u_user', $u_user);
// Pre-fix this user's details with 'this_' to avoid confusion with other users
$smarty->assign('this_user', $this_user);
}
header("Content-Type: text/html; charset=utf-8");
......
......@@ -11,8 +11,8 @@
{/section}
];
{if isset($u_user)}
playerInit(playlist, "{$u_user->getScrobbleSession()}", false);
{if isset($this_user)}
playerInit(playlist, "{$this_user->getScrobbleSession()}", false);
{else}
playerInit(playlist, false, false);
{/if}
......
......@@ -3,12 +3,12 @@
<h2>Listen</h2><br />
{if isset($station)}
{if isset($u_user)}
{if isset($this_user)}
{include file='player.tpl'}
<div id='error'></div>
<script type="text/javascript">
{if isset($u_user)}
playerInit(false, "{$u_user->getScrobbleSession()}", "{$u_user->getRadioSession($station)}");
{if isset($this_user)}
playerInit(false, "{$this_user->getScrobbleSession()}", "{$this_user->getRadioSession($station)}");
{/if}
</script>
{else}
......
......@@ -14,9 +14,13 @@
<label for='password'>Password<span>&nbsp;</span></label>
<input id='password' name='password' type='password' value=''/>
<label for='remember'>Remember me<span>&nbsp;</span></label>
<input id='remember' name='remember' type='checkbox' value='1'/>
<input type='submit' name='login' value='Let me in!' />
<input name="return" type="hidden" value="{$return|htmlentities}" />
</fieldset>
</form>
......
<ul>
{if ($logged_in)}
<li><a href="{$u_user->getURL()}">{$u_user->name}</a></li>
<li><a href="{$this_user->getURL()}">{$this_user->name}</a></li>
{else}
<li><a href="{$base_url}/register.php">Register</a></li>
{/if}
{if ($logged_in)}
{if $u_user->userlevel > 0}
{if $this_user->userlevel > 0}
<li><a href="/admin.php">admin</a></li>
{/if}
<li><a href="{$base_url}/login.php?action=logout">Logout</a></li>
......
......@@ -5,8 +5,8 @@
{include file='player.tpl'}
<script type="text/javascript">
var playlist = [{ldelim}"artist" : "{$track->artist_name}", "album" : "{$track->album_name}", "track" : "{$track->name}", "url" : "{$track->streamurl}"{rdelim}];
{if isset($u_user)}
playerInit(playlist, "{$u_user->getScrobbleSession()}", false);
{if isset($this_user)}
playerInit(playlist, "{$this_user->getScrobbleSession()}", false);
{else}
playerInit(playlist, false, false);
{/if}
......
......@@ -32,9 +32,6 @@ if($logged_in == false)
die();
}
# Doesn't seem to work - $user = $_SESSION['user'];
$user = new User($_SESSION['user']->name);
$errors = array();
if ($_POST['submit'])
......@@ -107,22 +104,22 @@ if ($_POST['submit'])
{
# Currently we don't allow them to change e-mail as we probably should
# have some kind of confirmation login to do so.
$user->id = $_POST['id'];
$user->fullname = $_POST['fullname'];
$user->homepage = $_POST['homepage'];
$user->bio = $_POST['bio'];
$user->location = $_POST['location'];
$user->location_uri = $_POST['location_uri'];
$user->avatar_uri = $_POST['avatar_uri'];
$user->laconica_profile = $_POST['laconica_profile'];
$user->journal_rss = $_POST['journal_rss'];
$this_user->id = $_POST['id'];
$this_user->fullname = $_POST['fullname'];
$this_user->homepage = $_POST['homepage'];
$this_user->bio = $_POST['bio'];
$this_user->location = $_POST['location'];
$this_user->location_uri = $_POST['location_uri'];
$this_user->avatar_uri = $_POST['avatar_uri'];
$this_user->laconica_profile = $_POST['laconica_profile'];
$this_user->journal_rss = $_POST['journal_rss'];
if (!empty( $_POST['password_1'] ))
$user->password = md5($_POST['password_1']);
$user->save();
$this_user->save();
header("Location: " . $user->getURL());
header("Location: " . $this_user->getURL());
exit;
}
......@@ -134,18 +131,18 @@ if ($_POST['submit'])
}
}
if(isset($user->name))
if(isset($this_user->name))
{
# Stuff which cannot be changed.
$smarty->assign("acctid", $user->acctid);
$smarty->assign('avatar', $user->getAvatar());
$smarty->assign('user', $user->name);
$smarty->assign("acctid", $this_user->acctid);
$smarty->assign('avatar', $this_user->getAvatar());
$smarty->assign('user', $this_user->name);
# Stuff which cannot be changed *here*
$smarty->assign('userlevel', $user->userlevel);
$smarty->assign('userlevel', $this_user->userlevel);
# Stuff which cannot be changed *yet*
$smarty->assign('email', $user->email);
$smarty->assign('email', $this_user->email);
if ($_POST['submit'])
{
......@@ -161,15 +158,15 @@ if(isset($user->name))
}
else
{
$smarty->assign("id", ($user->webid_uri));
$smarty->assign('fullname', ($user->fullname));
$smarty->assign('bio', ($user->bio));
$smarty->assign('homepage', ($user->homepage));
$smarty->assign('location', ($user->location));
$smarty->assign('location_uri', ($user->location_uri));
$smarty->assign('avatar_uri', ($user->avatar_uri));
$smarty->assign('laconica_profile', ($user->laconica_profile));
$smarty->assign('journal_rss', ($user->journal_rss));
$smarty->assign("id", ($this_user->webid_uri));
$smarty->assign('fullname', ($this_user->fullname));
$smarty->assign('bio', ($this_user->bio));
$smarty->assign('homepage', ($this_user->homepage));
$smarty->assign('location', ($this_user->location));
$smarty->assign('location_uri', ($this_user->location_uri));
$smarty->assign('avatar_uri', ($this_user->avatar_uri));
$smarty->assign('laconica_profile', ($this_user->laconica_profile));
$smarty->assign('journal_rss', ($this_user->journal_rss));
}
# And display the page.
......
......@@ -70,7 +70,7 @@ $aUserTagCloud = TagCloud::GenerateTagCloud('Scrobbles', 'artist', 40, $user->n
if (!PEAR::isError ($aUserTagCloud)) {
$smarty->assign('user_tagcloud',$aUserTagCloud);
}
$smarty->assign('isme', ($_SESSION['user']->name == $user->name));
$smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('me', $user);
$smarty->assign('geo', Server::getLocationDetails($user->location_uri));
$smarty->assign('profile', true);
......
......@@ -49,7 +49,7 @@ if(isset($user->name)) {
if (!PEAR::isError ($aUserTagCloud)) {
$smarty->assign('user_tagcloud',$aUserTagCloud);
}
$smarty->assign('isme', ($_SESSION['user']->name == $user->name));
$smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('me', $user);
$smarty->assign('profile', true);
......
......@@ -50,7 +50,7 @@ if(isset($user->name)) {
if (!PEAR::isError ($aUserTagCloud)) {
$smarty->assign('user_tagcloud',$aUserTagCloud);
}
$smarty->assign('isme', ($_SESSION['user']->name == $user->name));
$smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('me', $user);
$smarty->assign('profile', true);
......
......@@ -56,7 +56,7 @@ if(isset($user->name)) {
$smarty->assign('me', $user);
$smarty->assign('geo', Server::getLocationDetails($user->location_uri));
$smarty->assign('isme', ($_SESSION['user']->name == $user->name));
$smarty->assign('isme', ($this_user->name == $user->name));
$smarty->assign('stats', true);
$smarty->display('user-stats.tpl');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment