Removes timeout page and moves login form to header

This removes the need for a timeout page (and probably hacker.php) and
moves the login form and status to the header. If your login times out
you won't lose your place anymore and links will always work. Works
for me but at the moment index_po.php is imported in aur.inc which has
to stay until the translations from it for login are moved to
aur_po.php.

Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>

web/html/index.php

@@ -2,78 +2,12 @@
 
 set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../lang');
 
-include("index_po.inc");
+# include("index_po.inc");
 include("pkgfuncs_po.inc"); # Add to handle the i18n of My Packages
 include("aur.inc");
 set_lang();
 check_sid();
 
-# Need to do the authentication prior to sending any HTML (including header)
-#
-$login_error = "";
-if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
-	# Attempting to log in
-	#
-	if (!isset($_REQUEST["user"])) {
-		$login_error = __("You must supply a username.");
-	}
-	if (!isset($_REQUEST["pass"])) {
-		$login_error = __("You must supply a password.");
-	}
-	if (!$login_error) {
-		# Try and authenticate the user
-		#
-
-		#md5 hash it
-		$_REQUEST["pass"] = md5($_REQUEST["pass"]);
-		$dbh = db_connect();
-		$q = "SELECT ID, Suspended FROM Users ";
-		$q.= "WHERE Username = '" . mysql_real_escape_string($_REQUEST["user"]) . "' ";
-		$q.= "AND Passwd = '" . mysql_real_escape_string($_REQUEST["pass"]) . "'";
-		$result = db_query($q, $dbh);
-		if (!$result) {
-			$login_error = __("Error looking up username, %s.",
-						array(htmlspecialchars($_REQUEST["user"])));
-		} else {
-			$row = mysql_fetch_row($result);
-			if (empty($row)) {
-				$login_error = __("Incorrect password for username, %s.",
-						array(htmlspecialchars($_REQUEST["user"])));
-			} elseif ($row[1]) {
-				$login_error = __("Your account has been suspended.");
-			}
-		}
-
-		if (!$login_error) {
-			# Account looks good.  Generate a SID and store it.
-			#
-			$logged_in = 0;
-			$num_tries = 0;
-			while (!$logged_in && $num_tries < 5) {
-				$new_sid = new_sid();
-				$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
-				$q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
-				$result = db_query($q, $dbh);
-				# Query will fail if $new_sid is not unique
-				#
-				if ($result) {
-					$logged_in = 1;
-					break;
-				}
-				$num_tries++;
-			}
-			if ($logged_in) {
-				# set our SID cookie
-				#
-				setcookie("AURSID", $new_sid, 0, "/");
-				header("Location: /index.php");
-			} else {
-				$login_error = __("Error trying to generate session id.");
-			}
-		}
-	}
-}
-
 # Any cookies have been sent, can now display HTML
 #
 html_header();
@@ -97,36 +31,6 @@ print __("The most popular packages will be provided as binary packages in [comm
 print "</td>";
 print "<td class='boxSoft' valign='top'>";
 
-# Now present the user login stuff
-if (!isset($_COOKIE["AURSID"])) {
-	# the user is not logged in, give them login widgets
-	#
-	if ($login_error) {
-		print "<span class='error'>" . $login_error . "</span><br />\n";
-	}
-	print "<table border='0' cellpadding='0' cellspacing='0' width='100%'>\n";
-	print "<form action='/index.php' method='post'>\n";
-	print "<tr>\n";
-	print "<td>".__("Username:")."</td>";
-	print "<td><input type='text' name='user' size='30' maxlength='64'></td>";
-	print "</tr>\n";
-	print "<tr>\n";
-	print "<td>".__("Password:")."</td>";
-	print "<td><input type='password' name='pass' size='30' maxlength='32'></td>";
-	print "</tr>\n";
-	print "<tr>\n";
-	print "<td colspan='2' align='right'>&nbsp;<br />";
-	print "<input type='submit' class='button'";
-	print " value='".__("Login")."'></td>";
-	print "</tr>\n";
-	print "</form>\n";
-	print "</table>\n";
-
-} else {
-	print __("Logged-in as: %h%s%h",
-			array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
-}
-
 # MAIN: Bottom Left
 print "</td>";
 print "</tr>";

web/lib/aur.inc

@@ -7,6 +7,7 @@ header('Pragma: no-cache');
 include_once("version.inc");
 include_once("config.inc");
 include_once("aur_po.inc");
+include_once("index_po.inc");
 
 # TODO do we need to set the domain on cookies?  I seem to remember some
 # security concerns about not using domains - but it's not like
@@ -92,6 +93,8 @@ function check_sid() {
 			# clear out the hacker's cookie, and send them to a naughty page
 			#
 			setcookie("AURSID", "", time() - (60*60*24*30), "/");
+			# I think it's probably safe to do the same as below with this
+			# but not really vital at this point
 			header("Location: /hacker.php");
 
 		} elseif ($failed == 2) {
@@ -104,8 +107,7 @@ function check_sid() {
 			db_query($q, $dbh);
 
 			setcookie("AURSID", "", time() - (60*60*24*30), "/");
-			header("Location: /timeout.php");
+			unset($_COOKIE['AURSID']);
-
 		} else {
 			# still logged in and haven't reached the timeout, go ahead
 			# and update the idle timestamp
@@ -336,9 +338,74 @@ function set_lang() {
 function html_header() {
 	global $_SERVER;
 	global $_COOKIE;
+	global $_POST;
 	global $LANG;
 	global $SUPPORTED_LANGS;
 
+	$login_error = "";
+	if (isset($_POST["user"]) || isset($_POST["pass"])) {
+		# Attempting to log in
+		#
+		if (!isset($_POST["user"])) {
+			$login_error = __("You must supply a username.");
+		}
+		if (!isset($_POST["pass"])) {
+			$login_error = __("You must supply a password.");
+		}
+		if (!$login_error) {
+			# Try and authenticate the user
+			#
+
+			#md5 hash it
+			$_POST["pass"] = md5($_POST["pass"]);
+			$dbh = db_connect();
+			$q = "SELECT ID, Suspended FROM Users ";
+			$q.= "WHERE Username = '" . mysql_real_escape_string($_POST["user"]) . "' ";
+			$q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
+			$result = db_query($q, $dbh);
+			if (!$result) {
+				$login_error = __("Error looking up username, %s.",
+							array(htmlspecialchars($_POST["user"])));
+			} else {
+				$row = mysql_fetch_row($result);
+				if (empty($row)) {
+					$login_error = __("Incorrect password for username, %s.",
+							array(htmlspecialchars($_POST["user"])));
+				} elseif ($row[1]) {
+					$login_error = __("Your account has been suspended.");
+				}
+			}
+
+			if (!$login_error) {
+				# Account looks good.  Generate a SID and store it.
+				#
+				$logged_in = 0;
+				$num_tries = 0;
+				while (!$logged_in && $num_tries < 5) {
+					$new_sid = new_sid();
+					$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
+					$q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
+					$result = db_query($q, $dbh);
+					# Query will fail if $new_sid is not unique
+					#
+					if ($result) {
+						$logged_in = 1;
+						break;
+					}
+					$num_tries++;
+				}
+				if ($logged_in) {
+					# set our SID cookie
+					#
+					setcookie("AURSID", $new_sid, 0, "/");
+					$_COOKIE['AURSID'] = $new_sid;
+				} else {
+					$login_error = __("Error trying to generate session id.");
+				}
+			}
+		}
+	}
+
 	include('header.php');
 	return;
 }

web/template/header.php

@@ -65,8 +65,30 @@ foreach ($SUPPORTED_LANGS as $lang => $lang_name) {
            <li>Lang: </li>
          </ul>
       </div>
-   </div>
+      <br />
-   <div id="maincontent">
+      <div style="text-align: right; padding-right: 10px">
-		 <!-- Start of main content -->
+<?php
+if (!isset($_COOKIE["AURSID"])) {
+	if ($login_error) {
+		print "<span class='error'>" . $login_error . "</span><br />\n";
+  }
+?>
+        <form method='post'>
+<?php print __("Username:"); ?>
+        <input type='text' name='user' size='30' maxlength='64'>
+<?php print __("Password:"); ?>
+        <input type='password' name='pass' size='30' maxlength='32'>
+        <input type='submit' class='button' value='<?php  print __("Login"); ?>'>
+        </form>
+<?php
+} else {
+	print __("Logged-in as: %h%s%h",
+			array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
+}
+?>
+    </div>
+  </div>
+  <div id="maincontent">
+	  <!-- Start of main content -->