better error reporting for rememberme cookie handling

rememberme cookies are probably the most complained-about parts of the
system. We use "weak", one-use, low-info cookies that don't allow
changing settings like passwords or email addresses.

This change adds some better error-reporting to the rememberme
function. Hopefully we'll find out if there are other rm problem.

darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz
This commit is contained in:
Evan Prodromou 2008-12-09 12:04:13 -05:00
parent a61c7546c8
commit ed440c734e

View File

@ -620,33 +620,65 @@ function common_rememberme($user=NULL) {
} }
function common_remembered_user() { function common_remembered_user() {
$user = NULL; $user = NULL;
# Try to remember
$packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : ''; $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL;
if ($packed) {
if (!$packed) {
return NULL;
}
list($id, $code) = explode(':', $packed); list($id, $code) = explode(':', $packed);
if ($id && $code) {
if (!$id || !$code) {
common_warning('Malformed rememberme cookie: ' . $packed);
common_forgetme();
return NULL;
}
$rm = Remember_me::staticGet($code); $rm = Remember_me::staticGet($code);
if ($rm && ($rm->user_id == $id)) {
if (!$rm) {
common_warning('No such remember code: ' . $code);
common_forgetme();
return NULL;
}
if ($rm->user_id != $id) {
common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id);
common_forgetme();
return NULL;
}
$user = User::staticGet($rm->user_id); $user = User::staticGet($rm->user_id);
if ($user) {
if (!$user) {
common_warning('No such user for rememberme: ' . $rm->user_id);
common_forgetme();
return NULL;
}
# successful! # successful!
$result = $rm->delete(); $result = $rm->delete();
if (!$result) { if (!$result) {
common_log_db_error($rm, 'DELETE', __FILE__); common_log_db_error($rm, 'DELETE', __FILE__);
$user = NULL; common_warning('Could not delete rememberme: ' . $code);
} else { common_forgetme();
return NULL;
}
common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code); common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
common_set_user($user->nickname); common_set_user($user->nickname);
common_real_login(false); common_real_login(false);
# We issue a new cookie, so they can log in # We issue a new cookie, so they can log in
# automatically again after this session # automatically again after this session
common_rememberme($user); common_rememberme($user);
}
}
}
}
}
return $user; return $user;
} }