From ed440c734e45de01183d885e8750c173fc20a726 Mon Sep 17 00:00:00 2001 From: Evan Prodromou Date: Tue, 9 Dec 2008 12:04:13 -0500 Subject: [PATCH] better error reporting for rememberme cookie handling rememberme cookies are probably the most complained-about parts of the system. We use "weak", one-use, low-info cookies that don't allow changing settings like passwords or email addresses. This change adds some better error-reporting to the rememberme function. Hopefully we'll find out if there are other rm problem. darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz --- lib/util.php | 84 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 58 insertions(+), 26 deletions(-) diff --git a/lib/util.php b/lib/util.php index 259ea7a968..0e0198ee30 100644 --- a/lib/util.php +++ b/lib/util.php @@ -620,33 +620,65 @@ function common_rememberme($user=NULL) { } function common_remembered_user() { + $user = NULL; - # Try to remember - $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : ''; - if ($packed) { - list($id, $code) = explode(':', $packed); - if ($id && $code) { - $rm = Remember_me::staticGet($code); - if ($rm && ($rm->user_id == $id)) { - $user = User::staticGet($rm->user_id); - if ($user) { - # successful! - $result = $rm->delete(); - if (!$result) { - common_log_db_error($rm, 'DELETE', __FILE__); - $user = NULL; - } else { - common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code); - common_set_user($user->nickname); - common_real_login(false); - # We issue a new cookie, so they can log in - # automatically again after this session - common_rememberme($user); - } - } - } - } - } + + $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL; + + if (!$packed) { + return NULL; + } + + list($id, $code) = explode(':', $packed); + + if (!$id || !$code) { + common_warning('Malformed rememberme cookie: ' . $packed); + common_forgetme(); + return NULL; + } + + $rm = Remember_me::staticGet($code); + + if (!$rm) { + common_warning('No such remember code: ' . $code); + common_forgetme(); + return NULL; + } + + if ($rm->user_id != $id) { + common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id); + common_forgetme(); + return NULL; + } + + $user = User::staticGet($rm->user_id); + + if (!$user) { + common_warning('No such user for rememberme: ' . $rm->user_id); + common_forgetme(); + return NULL; + } + + # successful! + $result = $rm->delete(); + + if (!$result) { + common_log_db_error($rm, 'DELETE', __FILE__); + common_warning('Could not delete rememberme: ' . $code); + common_forgetme(); + return NULL; + } + + common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code); + + common_set_user($user->nickname); + common_real_login(false); + + # We issue a new cookie, so they can log in + # automatically again after this session + + common_rememberme($user); + return $user; }