some http auth fixes

This commit is contained in:
Andrew Dolgov 2005-11-23 14:52:02 +01:00
parent 81dde650b6
commit f557cd78ff
3 changed files with 63 additions and 32 deletions

View File

@ -606,6 +606,8 @@
db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " . db_query($link, "UPDATE ttrss_users SET last_login = NOW() WHERE id = " .
$_SESSION["uid"]); $_SESSION["uid"]);
initialize_user_prefs($link, $_SESSION["uid"]);
return true; return true;
} }
@ -613,27 +615,6 @@
} }
function http_authenticate_user($link, $force_logout) {
if (!$_SERVER['PHP_AUTH_USER'] || $force_logout) {
if ($force_logout) logout_user();
header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
header('HTTP/1.0 401 Unauthorized');
print "<h1>401 Unathorized</h1>";
exit;
} else {
$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
$password = db_escape_string($_SERVER['PHP_AUTH_PW']);
return authenticate_user($link, $login, $password);
}
}
function make_password($length = 8) { function make_password($length = 8) {
$password = ""; $password = "";
@ -672,10 +653,7 @@
} }
function logout_user() { function logout_user() {
$_SESSION["uid"] = null; session_destroy();
$_SESSION["name"] = null;
$_SESSION["access_level"] = null;
session_destroy();
} }
function login_sequence($link) { function login_sequence($link) {
@ -687,9 +665,24 @@
exit; exit;
} }
} else { } else {
if (!http_authenticate_user($link, false)) { if (!$_SESSION["uid"]) {
exit; if (!$_SERVER["PHP_AUTH_USER"]) {
}
header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
header('HTTP/1.0 401 Unauthorized');
exit;
} else {
$auth_result = authenticate_user($link,
$_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]);
if (!$auth_result) {
header('WWW-Authenticate: Basic realm="Tiny Tiny RSS"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
}
}
} }
} else { } else {
$_SESSION["uid"] = 1; $_SESSION["uid"] = 1;

View File

@ -8,7 +8,25 @@
if (!USE_HTTP_AUTH) { if (!USE_HTTP_AUTH) {
header("Location: login.php"); header("Location: login.php");
} else { } else { ?>
header("Location: tt-rss.php");
} <html>
?> <head>
<title>Tiny Tiny RSS : Logout</title>
<link rel="stylesheet" type="text/css" href="tt-rss.css">
<body class="logoutBody">
<div class="logoutContent">
<h1>You have been logged out.</h1>
<p><span class="logoutWarning">Warning:</span>
As there is no way to reliably clear HTTP Authentication
credentials from your browser, it is recommended for you to close
this browser window, otherwise your browser could automatically
authenticate again using previously supplied credentials, which
is a security risk.</p>
</div>
</body>
</html>
<? } ?>

View File

@ -636,3 +636,23 @@ span.insensitive {
div.prefGenericAddBox { div.prefGenericAddBox {
margin : 5px; margin : 5px;
} }
body.logoutBody {
background-color : #f0f0f0;
color : black;
}
span.logoutWarning {
color : red;
font-weight : bold;
}
div.logoutContent {
width : 600px;
border : 1px solid #c0c0c0;
background-color : white;
margin-left : auto;
margin-right : auto;
margin-top : 20px;
padding : 10px;
}