finished the login/logout/session stuff

web/html/account.php

@@ -2,6 +2,7 @@
 include("aur.inc");         # access AUR common functions
 include("account_po.inc");  # use some form of this for i18n support
 set_lang();                 # this sets up the visitor's language
+check_sid();                # see if they're still logged in
 html_header();              # print out the HTML header
 
 
@@ -11,8 +12,5 @@ html_header();              # print out the HTML header
 print __("Under construction...")."<br/>\n";
 
 
-html_footer("\$Id$");      # Use the $Id$ keyword
+html_footer("\$Id$");
-                           # NOTE: when checking in a new file, use
-                           # 'svn propset svn:keywords "Id" filename.php'
-                           # to tell svn to expand the "Id" keyword.
 ?>

web/html/css/containers.css

@@ -174,6 +174,12 @@
 		vertical-align: top;
 		padding-left: 5;
 	}
+	td.text
+	{
+		color:	#000;
+		font-family: verdana;
+		font-size: 12px;
+	}
 	th
 	{
 		text-align: left;

web/html/css/fonts.css

@@ -40,6 +40,12 @@
 		font-family:		monospace, fixed, terminal;
 		font-size:			12px;
 	}
+	span.error /* Content Text */
+	{
+		color:				#900;
+		font-family:		verdana;
+		font-size:			12px;
+	}
 
 /* Font Attribute Change (#6c83b0)*/
 	span.blue

web/html/hacker.php

@@ -0,0 +1,13 @@
+<?
+include("hacker_po.inc");
+include("aur.inc");
+set_lang();
+html_header();
+
+print __("Your session id is invalid.");
+print "<p>\n";
+print __("If this problem persists, please contact the site administrator.");
+print "</p>\n";
+
+html_footer("\$Id$");
+?>

web/html/index.php

@@ -4,7 +4,7 @@ include("aur.inc");
 set_lang();
 check_sid();
 
-# Need to do the authentication prior to sending HTML
+# Need to do the authentication prior to sending any HTML (including header)
 #
 $login_error = "";
 if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
@@ -23,15 +23,16 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
 		$q = "SELECT ID, Suspended FROM Users ";
 		$q.= "WHERE Email = '" . mysql_escape_string($_REQUEST["user"]) . "' ";
 		$q.= "AND Passwd = '" . mysql_escape_string($_REQUEST["pass"]) . "'";
-		$result = mysql_query($q, $dbh);
+		$result = db_query($q, $dbh);
 		if (!$result) {
 			$login_error = __("Incorrect password for username %s.",
 						array($_REQUEST["user"]));
-		}
+		} else {
 			$row = mysql_fetch_row($result);
 			if ($row[1]) {
 				$login_error = __("Your account has been suspended.");
 			}
+		}
 
 		if (!$login_error) {
 			# Account looks good.  Generate a SID and store it.
@@ -42,7 +43,7 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
 				$new_sid = new_sid();
 				$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
 				$q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
-				$result = mysql_query($q, $dbh);
+				$result = db_query($q, $dbh);
 				# Query will fail if $new_sid is not unique
 				#
 				if ($result) {
@@ -69,19 +70,19 @@ html_header();
 
 print "<table border='0' cellpadding='0' cellspacing='3' width='90%'>\n";
 print "<tr>\n";
-print "  <td align='left'>";
+print "  <td align='left' valign='top'>&nbsp;<br/>";
 print __("This is where the intro text will go.");
 print __("For now, it's just a place holder.");
 print __("It's more important to get the login functionality finished.");
 print __("After that, this can be filled in with more meaningful text.");
 print "  </td>";
-print "  <td align='right'>";
+print "  <td align='right'>&nbsp;<br/>\n";
 if (!isset($_COOKIE["AURSID"])) {
 	# the user is not logged in, give them login widgets
 	#
 	print "<form action='/index.php' method='post'>\n";
 	if ($login_error) {
-		print $login_error . "<br/>\n";
+		print "<span class='error'>" . $login_error . "</span><br/>\n";
 	}
 	print "<table border='0' cellpadding='0' cellspacing='0' width='100%'>\n";
 	print "<tr>\n";

web/html/logout.php

@@ -2,17 +2,19 @@
 include("aur.inc");         # access AUR common functions
 include("logout_po.inc");   # use some form of this for i18n support
 set_lang();                 # this sets up the visitor's language
-html_header();              # print out the HTML header
 
-
+# if they've got a cookie, log them out - need to do this before
-# Any text you print out to the visitor, use the __() function
+# sending any HTML output.
-# for i18n support.  See 'testpo.php' for more details.
 #
-print __("Under construction...")."<br/>\n";
+if (isset($_COOKIE["AURSID"])) {
+	$q = "DELETE FROM Sessions WHERE SessionID = '";
+	$q.= mysql_escape_string($_COOKIE["AURSID"]) . "'";
+	setcookie("AURSID", "", time() - (60*60*24*30), "/");
+}
+
+html_header();              # print out the HTML header
+print __("You have been successfully logged out.")."<br/>\n";
 
 
-html_footer("\$Id$");      # Use the $Id$ keyword
+html_footer("\$Id$");
-                           # NOTE: when checking in a new file, use
-                           # 'svn propset svn:keywords "Id" filename.php'
-                           # to tell svn to expand the "Id" keyword.
 ?>

web/html/pkgmgmnt.php

@@ -2,6 +2,7 @@
 include("aur.inc");         # access AUR common functions
 include("mgmnt_po.inc");    # use some form of this for i18n support
 set_lang();                 # this sets up the visitor's language
+check_sid();                # see if they're still logged in
 html_header();              # print out the HTML header
 
 
@@ -11,8 +12,5 @@ html_header();              # print out the HTML header
 print __("Under construction...")."<br/>\n";
 
 
-html_footer("\$Id$");      # Use the $Id$ keyword
+html_footer("\$Id$");
-                           # NOTE: when checking in a new file, use
-                           # 'svn propset svn:keywords "Id" filename.php'
-                           # to tell svn to expand the "Id" keyword.
 ?>

web/html/pkgsearch.php

@@ -2,6 +2,7 @@
 include("aur.inc");         # access AUR common functions
 include("search_po.inc");   # use some form of this for i18n support
 set_lang();                 # this sets up the visitor's language
+check_sid();                # see if they're still logged in
 html_header();              # print out the HTML header
 
 
@@ -11,8 +12,5 @@ html_header();              # print out the HTML header
 print __("Under construction...")."<br/>\n";
 
 
-html_footer("\$Id$");      # Use the $Id$ keyword
+html_footer("\$Id$");
-                           # NOTE: when checking in a new file, use
-                           # 'svn propset svn:keywords "Id" filename.php'
-                           # to tell svn to expand the "Id" keyword.
 ?>

web/html/pkgsubmit.php

@@ -1,6 +1,8 @@
 <?
 include("aur.inc");         # access AUR common functions
 include("submit_po.inc");   # use some form of this for i18n support
+set_lang();                 # this sets up the visitor's language
+check_sid();                # see if they're still logged in
 html_header();              # print out the HTML header
 
 
@@ -10,8 +12,5 @@ html_header();              # print out the HTML header
 print __("Under construction...")."<br/>\n";
 
 
-html_footer("\$Id$");      # Use the $Id$ keyword
+html_footer("\$Id$");
-                           # NOTE: when checking in a new file, use
-                           # 'svn propset svn:keywords "Id" filename.php'
-                           # to tell svn to expand the "Id" keyword.
 ?>

web/html/pkgvote.php

@@ -2,6 +2,7 @@
 include("aur.inc");         # access AUR common functions
 include("vote_po.inc");     # use some form of this for i18n support
 set_lang();                 # this sets up the visitor's language
+check_sid();                # see if they're still logged in
 html_header();              # print out the HTML header
 
 
@@ -11,8 +12,5 @@ html_header();              # print out the HTML header
 print __("Under construction...")."<br/>\n";
 
 
-html_footer("\$Id$");      # Use the $Id$ keyword
+html_footer("\$Id$");
-                           # NOTE: when checking in a new file, use
-                           # 'svn propset svn:keywords "Id" filename.php'
-                           # to tell svn to expand the "Id" keyword.
 ?>

web/html/template.php

@@ -2,6 +2,7 @@
 include("aur.inc");         # access AUR common functions
 include("template_po.inc"); # use some form of this for i18n support
 set_lang();                 # this sets up the visitor's language
+check_sid();                # see if they're still logged in
 html_header();              # print out the HTML header
 
 

web/lang/hacker_po.inc

@@ -0,0 +1,24 @@
+<?
+# INSTRUCTIONS TO TRANSLATORS
+#
+# This file contains the i18n translations for a subset of the
+# Arch Linux User-community Repository (AUR).  This is a PHP
+# script, and as such, you MUST pay great attention to the syntax.
+# If your text contains any double-quotes ("), you MUST escape
+# them with the backslash character (\).
+#
+
+include_once("translator.inc");
+global $_t;
+
+$_t["en"]["Your session id is invalid."] = "Your session id is invalid.";
+# $_t["es"]["Your session id is invalid."] = "--> Traducción española aquí. <--";
+# $_t["fr"]["Your session id is invalid."] = "--> Traduction française ici. <--";
+# $_t["de"]["Your session id is invalid."] = "--> Deutsche Übersetzung hier. <--";
+
+$_t["en"]["If this problem persists, please contact the site administrator."] = "If this problem persists, please contact the site administrator.";
+# $_t["es"]["If this problem persists, please contact the site administrator."] = "--> Traducción española aquí. <--";
+# $_t["fr"]["If this problem persists, please contact the site administrator."] = "--> Traduction française ici. <--";
+# $_t["de"]["If this problem persists, please contact the site administrator."] = "--> Deutsche Übersetzung hier. <--";
+
+?>

web/lang/logout_po.inc

@@ -16,4 +16,9 @@ $_t["en"]["Under construction..."] = "Under construction...";
 # $_t["fr"]["Under construction..."] = "--> Traduction française ici. <--";
 # $_t["de"]["Under construction..."] = "--> Deutsche Übersetzung hier. <--";
 
+$_t["en"]["You have been successfully logged out."] = "You have been successfully logged out.";
+# $_t["es"]["You have been successfully logged out."] = "--> Traducción española aquí. <--";
+# $_t["fr"]["You have been successfully logged out."] = "--> Traduction française ici. <--";
+# $_t["de"]["You have been successfully logged out."] = "--> Deutsche Übersetzung hier. <--";
+
 ?>

web/lib/aur.inc

@@ -3,18 +3,24 @@ include_once("aur_po.inc");
 
 # Define global variables
 #
-$PASS_PHRASE = "Dustyissocool";
+$LOGIN_TIMEOUT = 10;             # number of idle seconds before timeout
-$SUPPORTED_LANGS = array(
+$SUPPORTED_LANGS = array(        # what languages we have translations for
 	"en" => 1, # English
 	"es" => 1, # Español
 	"de" => 1, # Deutsch
 	"fr" => 1, # Français
 );
 
+# debugging variables
+#
+$QBUG = 1;                       # toggle query logging to /tmp/aurq.log
+$DBUG = 1;                       # use dbug($msg) to log to /tmp/aurd.log
+
 # see if the visitor is already logged in
 #
 function check_sid() {
 	global $_COOKIE;
+	global $LOGIN_TIMEOUT;
 
 	if (isset($_COOKIE["AURSID"])) {
 		$failed = 0;
@@ -23,28 +29,45 @@ function check_sid() {
 		$dbh = db_connect();
 		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
 		$q.= "WHERE SessionID = '" . mysql_escape_string($_COOKIE["AURSID"]) . "'";
-		$result = mysql_query($q, $dbh);
+		$result = db_query($q, $dbh);
 		if (!$result) {
+			# Invalid SessionID - hacker alert!
+			#
 			$failed = 1;
 		} else {
-			if ($row[0] + 10 >= $row[1]) {
+			$row = mysql_fetch_row($result);
-				$failed = 1;
+			if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) {
+				dbug("login timeout reached");
+				$failed = 2;
 			}
 		}
-		if ($failed) {
+		if ($failed == 1) {
+			# clear out the hacker's cookie, and send them to a naughty page
+			#
+			setcookie("AURSID", "", time() - (60*60*24*30), "/");
+			header("Location: /hacker.php");
+
+		} elseif ($failed == 2) {
 			# visitor's session id either doesn't exist, or the timeout
 			# was reached and they must login again, send them back to
 			# the main page where they can log in again.
 			#
 			$q = "DELETE FROM Sessions WHERE SessionID = '";
 			$q.= mysql_escape_string($_COOKIE["AURSID"]) . "'";
-			mysql_query($q, $dbh);
+			db_query($q, $dbh);
 
 			setcookie("AURSID", "", time() - (60*60*24*30), "/");
 			header("Location: /timeout.php");
-		}
-	}
 
+		} else {
+			# still logged in and haven't reached the timeout, go ahead
+			# and update the idle timestamp
+			#
+			$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
+			$q.= "WHERE SessionID = '".mysql_escape_string($_COOKIE["AURSID"])."'";
+			db_query($q, $dbh);
+		}
+	}
 	return;
 }
 
@@ -81,7 +104,7 @@ function username_from_sid($sid="") {
 	$q.= "FROM Users, Sessions ";
 	$q.= "WHERE Users.ID = Sessions.UsersID ";
 	$q.= "AND SessionID = '" . mysql_escape_string($sid) . "'";
-	$result = mysql_query($q, $dbh);
+	$result = db_query($q, $dbh);
 	if (!$result) {
 		return "";
 	}
@@ -111,6 +134,26 @@ function db_connect() {
 	return $handle;
 }
 
+# wrapper function around db_query in case we want to put
+# query logging/debuggin in.
+#
+function db_query($query="", $db_handle="") {
+	global $QBUG;
+	if (!$query) {
+		return FALSE;
+	}
+	if (!$db_handle) {
+		$db_handle = db_connect();
+	}
+	if ($QBUG) {
+		$fp = fopen("/tmp/aurq.log", "a");
+		fwrite($fp, $query . "\n");
+		fclose($fp);
+	}
+	$result = mysql_query($query, $db_handle);
+	return $result;
+}
+
 # set up the visitor's language
 #
 function set_lang() {
@@ -152,6 +195,7 @@ function set_lang() {
 # common header
 #
 function html_header() {
+	global $_COOKIE;
 	print "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
 	print "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
 	print "<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">";
@@ -205,6 +249,11 @@ function html_header() {
 	print "            <a href='/account.php'>".__("Accounts")."</a> ";
 	print "               <span class='black'> - </span> ";
 	print "            <a href='/pkgsearch.php'>".__("Packages")."</a> ";
+	if (isset($_COOKIE["AURSID"])) {
+		# Only display these items if the visitor is logged in.  This should
+		# be a safe check because check_sid() has been called prior to
+		# html_header().
+		#
 		print "               <span class='black'> - </span> ";
 		print "            <a href='/pkgvote.php'>".__("Vote")."</a> ";
 		print "               <span class='black'> - </span> ";
@@ -213,6 +262,7 @@ function html_header() {
 		print "            <a href='/pkgsubmit.php'>".__("Submit")."</a> ";
 		print "               <span class='black'> - </span> ";
 		print "            <a href='/logout.php'>".__("Logout")."</a> ";
+	}
 	print "                <span class='black'>:.</span></span>";
 	print "        </td>";
 	print "    </tr>";
@@ -237,10 +287,19 @@ function html_footer($ver="") {
 		print "<tr><td align='right'><span class='fix'>".$ver."</span></td></tr>\n";
 		print "</table>\n";
 	}
-	print "<\p>\n";
+	print "</p>\n";
 	print "</body>\n</html>";
 	return;
 }
 
+# debug logging
+#
+function dbug($msg) {
+	$fp = fopen("/tmp/aurd.log", "a");
+	fwrite($fp, $msg . "\n");
+	fclose($fp);
+	return;
+}
+
 # vim: ts=2 sw=2 noet ft=php
 ?>