external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve cookie handling

Browse source 
* Remove comment that is mostly bogus- the domain is automatically set.
* When logging out, don't delete the language cookie.
* Make the language cookie persistent.
* Use the minimal time possible to expire cookies; no need to compute
  anything.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Dan McGee 2011-03-01 09:24:34 -06:00 committed by Lukas Fleischer
parent 90485e8f42
commit 984ce9529c
2 changed files with 11 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
web/html/logout.php
View file

@ -14,8 +14,9 @@ if (isset($_COOKIE["AURSID"])) {
$q = "DELETE FROM Sessions WHERE SessionID = '";
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
setcookie("AURSID", "", time() - (60*60*24*30), "/");
setcookie("AURLANG", "", time() - (60*60*24*30), "/");
# setting expiration to 1 means '1 second after midnight January 1, 1970'
setcookie("AURSID", "", 1, "/");
unset($_COOKIE['AURSID']);
}
clear_expired_sessions();

20
web/lib/aur.inc
View file

@ -12,12 +12,6 @@ include_once("config.inc");
include_once("version.inc");
include_once("acctfuncs.inc");
# TODO do we need to set the domain on cookies? I seem to remember some
# security concerns about not using domains - but it's not like
# we really care if another site can see what language/SID a user
# is using...
# see if the visitor is already logged in
#
function check_sid() {
@ -48,18 +42,16 @@ function check_sid() {
# clear out the hacker's cookie, and send them to a naughty page
# why do you have to be so harsh on these people!?
#
setcookie("AURSID", "", time() - (60*60*24*30), "/");
setcookie("AURSID", "", 1, "/");
unset($_COOKIE['AURSID']);
} elseif ($failed == 2) {
# visitor's session id either doesn't exist, or the timeout
# was reached and they must login again, send them back to
# the main page where they can log in again.
# session id timeout was reached and they must login again.
#
$q = "DELETE FROM Sessions WHERE SessionID = '";
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
setcookie("AURSID", "", time() - (60*60*24*30), "/");
setcookie("AURSID", "", 1, "/");
unset($_COOKIE['AURSID']);
} else {
# still logged in and haven't reached the timeout, go ahead
@ -257,6 +249,7 @@ function set_lang() {
global $_t;
global $LANG;
global $SUPPORTED_LANGS;
global $PERSISTENT_COOKIE_TIMEOUT;
$update_cookie = 0;
if (isset($_REQUEST['setlang'])) {
@ -271,6 +264,8 @@ function set_lang() {
$LANG = $_COOKIE['AURLANG'];
} elseif (isset($_COOKIE["AURSID"])) {
# No language but a session; use default lang preference
#
$dbh = db_connect();
$q = "SELECT LangPreference FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
@ -291,7 +286,8 @@ function set_lang() {
}
if ($update_cookie) {
setcookie("AURLANG", $LANG, 0, "/");
$cookie_time = time() + $PERSISTENT_COOKIE_TIMEOUT;
setcookie("AURLANG", $LANG, $cookie_time, "/");
}
if ($LANG != "en" ) {