better error reporting for rememberme cookie handling

rememberme cookies are probably the most complained-about parts of the
system. We use "weak", one-use, low-info cookies that don't allow
changing settings like passwords or email addresses.

This change adds some better error-reporting to the rememberme
function. Hopefully we'll find out if there are other rm problem.

darcs-hash:20081209170413-84dde-6845ae5524d3ee1d1a491548bb22386f11f0e867.gz

diff --git a/lib/util.php b/lib/util.php
index 259ea7a968f0a15424aeca51a1526f56b881e989..0e0198ee30f2484e0940a33347f8d3650cc823ea 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -620,33 +620,65 @@ function common_rememberme($user=NULL) {
 }
 
 function common_remembered_user() {
+
        $user = NULL;
-       # Try to remember
-       $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : '';
-       if ($packed) {
-               list($id, $code) = explode(':', $packed);
-               if ($id && $code) {
-                       $rm = Remember_me::staticGet($code);
-                       if ($rm && ($rm->user_id == $id)) {
-                               $user = User::staticGet($rm->user_id);
-                               if ($user) {
-                                       # successful!
-                                       $result = $rm->delete();
-                                       if (!$result) {
-                                               common_log_db_error($rm, 'DELETE', __FILE__);
-                                               $user = NULL;
-                                       } else {
-                                               common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
-                                               common_set_user($user->nickname);
-                                               common_real_login(false);
-                                               # We issue a new cookie, so they can log in
-                                               # automatically again after this session
-                                               common_rememberme($user);
-                                       }
-                               }
-                       }
-               }
-       }
+
+       $packed = isset($_COOKIE[REMEMBERME]) ? $_COOKIE[REMEMBERME] : NULL;
+
+       if (!$packed) {
+        return NULL;
+    }
+
+    list($id, $code) = explode(':', $packed);
+
+    if (!$id || !$code) {
+        common_warning('Malformed rememberme cookie: ' . $packed);
+        common_forgetme();
+        return NULL;
+    }
+
+    $rm = Remember_me::staticGet($code);
+
+    if (!$rm) {
+        common_warning('No such remember code: ' . $code);
+        common_forgetme();
+        return NULL;
+    }
+
+    if ($rm->user_id != $id) {
+        common_warning('Rememberme code for wrong user: ' . $rm->user_id . ' != ' . $id);
+        common_forgetme();
+        return NULL;
+    }
+
+    $user = User::staticGet($rm->user_id);
+
+    if (!$user) {
+        common_warning('No such user for rememberme: ' . $rm->user_id);
+        common_forgetme();
+        return NULL;
+    }
+
+       # successful!
+    $result = $rm->delete();
+
+    if (!$result) {
+        common_log_db_error($rm, 'DELETE', __FILE__);
+        common_warning('Could not delete rememberme: ' . $code);
+        common_forgetme();
+        return NULL;
+    }
+
+    common_log(LOG_INFO, 'logging in ' . $user->nickname . ' using rememberme code ' . $rm->code);
+
+    common_set_user($user->nickname);
+    common_real_login(false);
+
+    # We issue a new cookie, so they can log in
+    # automatically again after this session
+
+    common_rememberme($user);
+
        return $user;
 }