valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix session write handler always assuming that database entry exists and failing silently if it doesn't; remove session cookie-related hacks

This commit is contained in:
Andrew Dolgov 2018-10-16 14:07:42 +03:00
parent d246fb9fe1
commit 5f66f872b6
3 changed files with 27 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
classes/handler/public.php
View File

@ -465,14 +465,6 @@ class Handler_Public extends Handler {
function login() { function login() {
if (!SINGLE_USER_MODE) { if (!SINGLE_USER_MODE) {
/* if a session is started here there's a stale login cookie we need to clean */
if (session_status() != PHP_SESSION_NONE) {
$_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
header("Location: " . get_self_url_prefix());
exit;
}
$login = clean($_POST["login"]); $login = clean($_POST["login"]);
$password = clean($_POST["password"]); $password = clean($_POST["password"]);

2
include/functions.php
View File

@ -714,8 +714,8 @@
if ($user_id && !$check_only) { if ($user_id && !$check_only) {
session_regenerate_id(true);
session_start(); session_start();
session_regenerate_id(true);
$_SESSION["uid"] = $user_id; $_SESSION["uid"] = $user_id;
$_SESSION["version"] = VERSION_STATIC; $_SESSION["version"] = VERSION_STATIC;

43
include/sessions.php
View File

@ -45,7 +45,7 @@
__("Session failed to validate (schema version changed)"); __("Session failed to validate (schema version changed)");
return false; return false;
} }
$pdo = Db::pdo(); $pdo = Db::pdo();
if ($_SESSION["uid"]) { if ($_SESSION["uid"]) {
@ -59,21 +59,21 @@
// user not found // user not found
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
$pwd_hash = $row["pwd_hash"]; $pwd_hash = $row["pwd_hash"];
if ($pwd_hash != $_SESSION["pwd_hash"]) { if ($pwd_hash != $_SESSION["pwd_hash"]) {
$_SESSION["login_error_msg"] = $_SESSION["login_error_msg"] =
__("Session failed to validate (password changed)"); __("Session failed to validate (password changed)");
return false; return false;
} }
} else { } else {
$_SESSION["login_error_msg"] = $_SESSION["login_error_msg"] =
__("Session failed to validate (user not found)"); __("Session failed to validate (user not found)");
return false; return false;
} }
} }
@ -95,16 +95,16 @@
$sth->execute([$id]); $sth->execute([$id]);
if ($row = $sth->fetch()) { if ($row = $sth->fetch()) {
return base64_decode($row["data"]); return base64_decode($row["data"]);
} else { } else {
$expire = time() + $session_expire; $expire = time() + $session_expire;
$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire) $sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
VALUES (?, '', ?)"); VALUES (?, '', ?)");
$sth->execute([$id, $expire]); $sth->execute([$id, $expire]);
return ""; return "";
} }
@ -116,8 +116,17 @@
$data = base64_encode($data); $data = base64_encode($data);
$expire = time() + $session_expire; $expire = time() + $session_expire;
$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?"); $sth = Db::pdo()->prepare("SELECT id FROM ttrss_sessions WHERE id=?");
$sth->execute([$data, $expire, $id]); $sth->execute([$id]);
if ($row = $sth->fetch()) {
$sth = Db::pdo()->prepare("UPDATE ttrss_sessions SET data=?, expire=? WHERE id=?");
$sth->execute([$data, $expire, $id]);
} else {
$sth = Db::pdo()->prepare("INSERT INTO ttrss_sessions (id, data, expire)
VALUES (?, ?, ?)");
$sth->execute([$id, $data, $expire]);
}
return true; return true;
} }