From 302284be34ec6342a279566e1167837033c6fd62 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Mon, 18 Feb 2008 20:03:45 +0000 Subject: [PATCH] major login problems fixed and some code-improvements --- inc/functions.php | 9 +- inc/libs/admins_functions.php | 8 +- inc/modules/admin.php | 145 ++++++++++---------------------- inc/modules/admin/admin-inc.php | 18 ++-- inc/session.php | 23 +++-- 5 files changed, 71 insertions(+), 132 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index c41ca16b82..ec45fdca53 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -2098,13 +2098,18 @@ function set_session ($var, $value) { // Remove the session //* DEBUG: */ echo "UNSET:".$var."=".$_SESSION[$var]."
\n"; unset($_SESSION[$var]); - return @session_register($var); + return session_unregister($var); } elseif (("".$value."" != "") && (!isset($_SESSION[$var]))) { // Set session //* DEBUG: */ echo "SET:".$var."=".$value."
\n"; $_SESSION[$var] = $value; - return true; + return session_register($var); } + + // Return always true if the session variable is already set. + // Keept me busy for a longer while... + //* DEBUG: */ echo "IGNORED:".$var."=".$value."
\n"; + return true; } // diff --git a/inc/libs/admins_functions.php b/inc/libs/admins_functions.php index c930c48184..b168a75d47 100644 --- a/inc/libs/admins_functions.php +++ b/inc/libs/admins_functions.php @@ -204,17 +204,17 @@ function ADMINS_CHANGE_ADMIN_ACCOUNT($POST) { $TIMEOUT = time() + bigintval($_SESSION['admin_to']); // Set timeout cookie - set_session("admin_last", time(), $TIMEOUT, COOKIE_PATH); + set_session("admin_last", time()); if ($login != $_SESSION['admin_login']) { // Update login cookie - set_session("admin_login", $login, $TIMEOUT, COOKIE_PATH); + set_session("admin_login", $login); // Update password cookie as well? - if (!empty($ADD)) set_session("admin_md5", $hash, $TIMEOUT, COOKIE_PATH); + if (!empty($ADD)) set_session("admin_md5", $hash); } elseif (generateHash($POST['pass1'][$id], $salt) != $_SESSION['admin_md5']) { // Update password cookie - set_session("admin_md5", $hash, $TIMEOUT, COOKIE_PATH); + set_session("admin_md5", $hash); } } diff --git a/inc/modules/admin.php b/inc/modules/admin.php index 058b1f8f0e..a4e8aeb1e4 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -32,15 +32,13 @@ ************************************************************************/ // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) -{ +if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; require($INC); } // Login is default -if ((empty($GLOBALS['action'])) && ($check == "admin_only")) -{ +if ((empty($GLOBALS['action'])) && ($check == "admin_only")) { // Redirect to right URL LOAD_URL("modules.php?module=admin&action=login"); } @@ -54,12 +52,10 @@ FIX_DELETED_COOKIES(array('admin_login', 'admin_md5', 'admin_last', 'admin_to')) // Is the logout empty? if (empty($_GET['logout'])) $_GET['logout'] = ""; -if (!admin_registered) -{ +if (!admin_registered) { // Admin is not registered so we have to inform the user if ((isset($_POST['ok'])) && ((empty($_POST['login'])) || (empty($_POST['pass'])) || (strlen($_POST['pass']) < 4))) $_POST['ok'] = "***"; - if ((isset($_POST['ok'])) && ($_POST['ok'] != "***")) - { + if ((isset($_POST['ok'])) && ($_POST['ok'] != "***")) { // Hash the password with our new generateHash() function $hashedPass = generateHash($_POST['pass']); @@ -72,14 +68,10 @@ if (!admin_registered) { case "done": admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define ('admin_registered', ", ");", "true", 0); - if (!_FATAL) - { - $URL = URL."/modules.php?module=admin&action=login®ister=done"; - LOAD_URL($URL); - die($URL); - } - else - { + if (!_FATAL) { + // Registering is done + LOAD_URL(URL."/modules.php?module=admin&action=login®ister=done"); + } else { $ret = ADMIN_CANNOT_COMPLETE; } break; @@ -90,18 +82,14 @@ if (!admin_registered) case "already": default: - if ($ret == "already") - { + if ($ret == "already") { // Admin does already exists! $ret = ADMIN_LOGIN_ALREADY_REG; - } - else - { + } else { // Any other kind $ret = "done"; } - if (!admin_registered) - { + if (!admin_registered) { // Write to config that registration is done admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define ('admin_registered', ", ");", "true", 0); @@ -112,8 +100,7 @@ if (!admin_registered) break; } } - if ($ret != "done") - { + if ($ret != "done") { // Fixes another "Notice" if (!empty($_POST['login'])) { define('__LOGIN_VALUE', $_POST['login']); @@ -122,8 +109,7 @@ if (!admin_registered) } // Yet-another "Notice" fix - if ((!empty($_POST['ok'])) && ($_POST['ok'] == "***")) - { + if ((!empty($_POST['ok'])) && ($_POST['ok'] == "***")) { // No login entered? if (empty($_POST['login'])) $MSG1 = ADMIN_NO_LOGIN; @@ -142,9 +128,7 @@ if (!admin_registered) // Reset variables $MSG1 = ""; $MSG2 = ""; - } - else - { + } else { // Reset values to nothing define('__MSG_LOGIN', ""); define('__MSG_PASS' , ""); @@ -153,18 +137,14 @@ if (!admin_registered) // Load register template LOAD_TEMPLATE("admin_reg_form"); } -} - elseif ((empty($_SESSION['admin_login'])) || (empty($_SESSION['admin_md5'])) || (empty($_SESSION['admin_last'])) || (empty($_SESSION['admin_to'])) || (($_SESSION['admin_last'] + bigintval($_SESSION['admin_to']) * 3600 * 24) < time())) -{ +} elseif ((empty($_SESSION['admin_login'])) || (empty($_SESSION['admin_md5'])) || (empty($_SESSION['admin_last'])) || (empty($_SESSION['admin_to'])) || (($_SESSION['admin_last'] + bigintval($_SESSION['admin_to']) * 3600 * 24) < time())) { // At leat one administrator account was created - if ((!empty($_SESSION['admin_login'])) && (!empty($_SESSION['admin_md5'])) && (!empty($_SESSION['admin_last'])) && (!empty($_SESSION['admin_to']))) - { + if ((!empty($_SESSION['admin_login'])) && (!empty($_SESSION['admin_md5'])) && (!empty($_SESSION['admin_last'])) && (!empty($_SESSION['admin_to']))) { // Timeout for last login, we have to logout first! $URL = URL."/modules.php?module=admin&action=login&logout=1"; LOAD_URL($URL); } - if (!empty($_GET['register'])) - { + if (!empty($_GET['register'])) { // Registration of first admin is done if ($_GET['register'] == "done") OUTPUT_HTML("".ADMIN_REGISTER_DONE.""); } @@ -172,16 +152,14 @@ if (!admin_registered) // Check if the admin has submitted data or not $ret = ""; if ((isset($_POST['ok'])) && ((empty($_POST['login'])) || (empty($_POST['pass'])) || (strlen($_POST['pass']) < 4))) $_POST['ok'] = "***"; - if ((isset($_POST['ok'])) && ($_POST['ok'] != "***")) - { + if ((isset($_POST['ok'])) && ($_POST['ok'] != "***")) { // All required data was entered so we check his account $ret = CHECK_ADMIN_LOGIN($_POST['login'], $_POST['pass']); switch ($ret) { case "done": // Admin and password are okay, so we log in now - $TIMEOUT = time() + (3600 * 24 * $_POST['timeout']); - if ((set_session("admin_md5", generatePassString(generateHash($_POST['pass'], __SALT)), $TIMEOUT, COOKIE_PATH)) && (set_session("admin_login", $_POST['login'], $TIMEOUT, COOKIE_PATH)) && (set_session("admin_last", time(), $TIMEOUT, COOKIE_PATH)) && (set_session("admin_to", $_POST['timeout'], $TIMEOUT, COOKIE_PATH))) - { + // Try to register the session variables + if ((set_session("admin_md5", generatePassString(generateHash($_POST['pass'], __SALT)))) && (set_session("admin_login", $_POST['login'])) && (set_session("admin_last", time())) && (set_session("admin_to", $_POST['timeout']))) { // Construct URL and redirect $URL = URL."/modules.php?module=admin&"; @@ -197,9 +175,7 @@ if (!admin_registered) // Load URL LOAD_URL($URL); - } - else - { + } else { OUTPUT_HTML("".ADMIN_LOGIN_FAILED.""); ADD_FATAL(CANNOT_REGISTER_SESS); } @@ -216,19 +192,14 @@ if (!admin_registered) break; } } - if ($ret != "done") - { - if (!empty($_POST['login'])) - { + if ($ret != "done") { + if (!empty($_POST['login'])) { define('__LOGIN_VALUE', $_POST['login']); - } - else - { + } else { define('__LOGIN_VALUE', ""); } - if (isset($_POST['ok'])) - { + if (isset($_POST['ok'])) { // Set messages to zero $MSG1 = ""; $MSG2 = ""; @@ -253,40 +224,28 @@ if (!admin_registered) // Reset variables $MSG1 = ""; $MSG2 = ""; - } - else - { + } else { // Set constants to empty for hiding them define('__MSG_LOGIN', ""); define('__MSG_PASS' , ""); } // Load login form - if (!empty($GLOBALS['what'])) - { + if (!empty($GLOBALS['what'])) { // Restore old what value $content = array('target' => "what", 'value' => $GLOBALS['what']); - } - elseif (!empty($GLOBALS['action'])) - { - if ($GLOBALS['action'] != "logout") - { + } elseif (!empty($GLOBALS['action'])) { + if ($GLOBALS['action'] != "logout") { // Restore old action value $content = array('target' => "action", 'value' => $GLOBALS['action']); - } - else - { + } else { // Set default values $content = array('target' => "action", 'value' => "login"); } - } - elseif (!empty($_GET['area'])) - { + } elseif (!empty($_GET['area'])) { // Restore old area value $content = array('target' => "area", 'value' => $_GET['area']); - } - else - { + } else { // Set default values $content = array('target' => "action", 'value' => "login"); } @@ -294,12 +253,9 @@ if (!admin_registered) // Load login form template LOAD_TEMPLATE("admin_login_form", false, $content); } -} - elseif ($_GET['logout'] == "1") -{ +} elseif ($_GET['logout'] == "1") { // Only try to remove cookies - if (set_session("admin_login", "", (time() - 3600), COOKIE_PATH) && set_session("admin_md5", "", (time() - 3600), COOKIE_PATH) && set_session("admin_last", "", (time() - 3600), COOKIE_PATH) && set_session("admin_to", "", (time() - 3600), COOKIE_PATH)) - { + if (set_session("admin_login", "", (time() - 3600), COOKIE_PATH) && set_session("admin_md5", "", (time() - 3600), COOKIE_PATH) && set_session("admin_last", "", (time() - 3600), COOKIE_PATH) && set_session("admin_to", "", (time() - 3600), COOKIE_PATH)) { // Also remove array elements unset($_SESSION['admin_login']); unset($_SESSION['admin_md5']); @@ -311,30 +267,22 @@ if (!admin_registered) // Load logout template LOAD_TEMPLATE("admin_logout"); - } - else - { + } else { // Something went wrong here... OUTPUT_HTML("".ADMIN_LOGOUT_FAILED.""); // Add fatal message ADD_FATAL(CANNOT_UNREG_SESS); } -} - else -{ +} else { // Maybe an Admin want's to login? $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE($_SESSION['admin_login']), SQL_ESCAPE($_SESSION['admin_md5'])); - switch ($ret) - { + switch ($ret) { case "done": // Cookie-Data accepted - $TIMEOUT = time() + bigintval($_SESSION['admin_to']); - if ((set_session("admin_md5", SQL_ESCAPE($_SESSION['admin_md5']), $TIMEOUT, COOKIE_PATH)) && (set_session("admin_login", SQL_ESCAPE($_SESSION['admin_login']), $TIMEOUT, COOKIE_PATH)) && (set_session("admin_last", time(), $TIMEOUT, COOKIE_PATH)) && (set_session("admin_to", bigintval($_SESSION['admin_to']), $TIMEOUT, COOKIE_PATH))) - { + if ((set_session("admin_md5", SQL_ESCAPE($_SESSION['admin_md5']))) && (set_session("admin_login", SQL_ESCAPE($_SESSION['admin_login']))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval($_SESSION['admin_to'])))) { // Ok, Cookie-Update done - if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) - { + if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { // Check if action GET variable was set $act = SQL_ESCAPE($GLOBALS['action']); if (!empty($GLOBALS['what'])) { @@ -344,9 +292,7 @@ if (!admin_registered) // Check for access control line of current menu entry define('__ACL_ALLOW', ADMINS_CHECK_ACL($act, $GLOBALS['what'])); - } - else - { + } else { // Extension not installed so it's always allowed to access everywhere! define('__ACL_ALLOW', true); } @@ -355,8 +301,7 @@ if (!admin_registered) if (empty($_CONFIG['admin_menu'])) $_CONFIG['admin_menu'] = "OLD"; // Check for version and switch between old menu system and new "intelligent menu system" - if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (file_exists(PATH."inc/modules/admin/la_sys-inc.php"))) - { + if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (file_exists(PATH."inc/modules/admin/la_sys-inc.php"))) { // Default area is the entrance, of course $area = "entrance"; @@ -368,16 +313,12 @@ if (!admin_registered) // Create new-style menu system will "logical areas" ADMIN_LOGICAL_AREA_SYSTEM($area, $act, $GLOBALS['what']); - } - else - { + } else { // This little call constructs the whole default old and lacky menu system // on left side ADMIN_DO_ACTION($GLOBALS['what']); } - } - else - { + } else { // Login failed (cookies enabled?) OUTPUT_HTML("".ADMIN_LOGIN_FAILED.""); ADD_FATAL(CANNOT_RE_REGISTER_SESS); diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index cb17ba380c..c2a5e24458 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -127,24 +127,19 @@ function CHECK_ADMIN_LOGIN ($admin_login, $password) return $ret; } // Only be executed on cookie checking -function CHECK_ADMIN_COOKIES ($admin_login, $password) -{ +function CHECK_ADMIN_COOKIES ($admin_login, $password) { global $ADMINS, $_CONFIG; $ret = "404"; $pass = ""; - if (!empty($ADMINS['aid'][$admin_login])) - { + if (!empty($ADMINS['aid'][$admin_login])) { // Get password from cache $pass = $ADMINS['password'][$admin_login]; $ret = "pass"; $_CONFIG['cache_hits']++; - } - else - { + } else { // Get password from DB $result = SQL_QUERY_ESC("SELECT password FROM "._MYSQL_PREFIX."_admins WHERE login='%s' LIMIT 1", array($admin_login), __FILE__, __LINE__); - if (SQL_NUMROWS($result) == 1) - { + if (SQL_NUMROWS($result) == 1) { $ret = "pass"; list($pass) = SQL_FETCHROW($result); SQL_FREERESULT($result); @@ -154,11 +149,12 @@ function CHECK_ADMIN_COOKIES ($admin_login, $password) //* DEBUG: */ echo "*".$pass."/".$password."
"; // Check if password matches - if (($ret == "pass") && ((generatePassString($pass) == $password) || ($pass == $password))) - { + if (($ret == "pass") && ((generatePassString($pass) == $password) || ($pass == $password))) { // Passwords matches! $ret = "done"; } + + // Return result return $ret; } // diff --git a/inc/session.php b/inc/session.php index 268c2d4715..4d8c9d6013 100644 --- a/inc/session.php +++ b/inc/session.php @@ -32,8 +32,7 @@ ************************************************************************/ // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) -{ +if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; require($INC); } @@ -69,11 +68,11 @@ if (!empty($_POST['refid'])) { // Set refid=ref (the referral link uses such variable) $GLOBALS['refid'] = SQL_ESCAPE(strip_tags($_GET['ref'])); } elseif (!empty($_SESSION['refid'])) { - // Simply reset cookie + // Set session refid als global $GLOBALS['refid'] = bigintval($_SESSION['refid']); } elseif (GET_EXT_VERSION("sql_patches") != "") { // Set default refid as refid in URL - $GLOBALS['refid'] = $_CONFIG['def_refid']; + $GLOBALS['refid'] = bigintval($_CONFIG['def_refid']); } else { // No default ID when sql_patches is not installed $GLOBALS['refid'] = 0; @@ -85,19 +84,17 @@ if (empty($_SESSION['refid']) || (!empty($GLOBALS['refid'])) || (($_SESSION['ref set_session("refid", $GLOBALS['refid']); } -// Test cookies if index.php or modules.php is loaded -if ((basename($_SERVER['PHP_SELF']) == "index.php") || (basename($_SERVER['PHP_SELF']) == "modules.php") || (mxchange_installing)) -{ - if (count($_SESSION) > 0) - { - // Cookies accepted! +// Test session if index.php or modules.php is loaded +if ((basename($_SERVER['PHP_SELF']) == "index.php") || (basename($_SERVER['PHP_SELF']) == "modules.php") || (mxchange_installing)) { + if (count($_SESSION) > 0) { + // Session variables accepted! define('__COOKIES', true); - } - else - { + } else { // Cookies rejected! define('__COOKIES', false); } } +//* DEBUG: */ print("
".print_r($_SESSION, true)."
"); + // ?> -- 2.39.5