better error reporting for rememberme cookie handling

rememberme cookies are probably the most complained-about parts of the
system. We use "weak", one-use, low-info cookies that don't allow
changing settings like passwords or email addresses.

This change adds some better error-reporting to the rememberme
function. Hopefully we'll find out if there are other rm problem.

darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz
This commit is contained in:
Evan Prodromou 2008-12-09 12:04:13 -05:00
parent a61c7546c8
commit ed440c734e

View File

@ -620,33 +620,65 @@ function common_rememberme($user=NULL) {
}
function common_remembered_user() {
$user = NULL;
# Try to remember
$packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : '';
if ($packed) {
list($id, $code) = explode(':', $packed);
if ($id && $code) {
$rm = Remember_me::staticGet($code);
if ($rm && ($rm->user_id == $id)) {
$user = User::staticGet($rm->user_id);
if ($user) {
# successful!
$result = $rm->delete();
if (!$result) {
common_log_db_error($rm, 'DELETE', __FILE__);
$user = NULL;
} else {
common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
common_set_user($user->nickname);
common_real_login(false);
# We issue a new cookie, so they can log in
# automatically again after this session
common_rememberme($user);
}
}
}
}
}
$packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL;
if (!$packed) {
return NULL;
}
list($id, $code) = explode(':', $packed);
if (!$id || !$code) {
common_warning('Malformed rememberme cookie: ' . $packed);
common_forgetme();
return NULL;
}
$rm = Remember_me::staticGet($code);
if (!$rm) {
common_warning('No such remember code: ' . $code);
common_forgetme();
return NULL;
}
if ($rm->user_id != $id) {
common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id);
common_forgetme();
return NULL;
}
$user = User::staticGet($rm->user_id);
if (!$user) {
common_warning('No such user for rememberme: ' . $rm->user_id);
common_forgetme();
return NULL;
}
# successful!
$result = $rm->delete();
if (!$result) {
common_log_db_error($rm, 'DELETE', __FILE__);
common_warning('Could not delete rememberme: ' . $code);
common_forgetme();
return NULL;
}
common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
common_set_user($user->nickname);
common_real_login(false);
# We issue a new cookie, so they can log in
# automatically again after this session
common_rememberme($user);
return $user;
}