From 60403e95910ee466e0ef685b068facb88237721f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Roland=20H=C3=A4der?= <roland@mxchange.org>
Date: Fri, 18 Dec 2009 22:15:11 +0000
Subject: [PATCH] Possible final fixes for user login, debug lines rewritten to
 logfile, some old lost code removed in inc/session.php which causes a to
 early call of isMember()

---
 inc/functions.php           | 18 +++++++++---------
 inc/libs/user_functions.php |  6 ++----
 inc/mysql-manager.php       | 21 ++++++++++++++-------
 inc/session.php             | 12 ------------
 4 files changed, 25 insertions(+), 32 deletions(-)

diff --git a/inc/functions.php b/inc/functions.php
index b56975ac61..c6739d34ed 100644
--- a/inc/functions.php
+++ b/inc/functions.php
@@ -2236,22 +2236,22 @@ function encodeHashForCookie ($passHash) {
 	$ret = $passHash;
 
 	// Is a secret key and master salt already initialized?
-	//* DEBUG: */ outputHtml(__FUNCTION__.':'.intval(isExtensionInstalled('sql_patches')).'/'.intval(isConfigEntrySet('_PRIME')).'/'.intval(isConfigEntrySet('secret_key')).'/'.intval(isConfigEntrySet('master_salt')).'<br />');
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, intval(isExtensionInstalled('sql_patches')) . '/' . intval(isConfigEntrySet('_PRIME')) . '/' . intval(isConfigEntrySet('secret_key')) . '/' . intval(isConfigEntrySet('master_salt')));
 	if ((isExtensionInstalled('sql_patches')) && (isConfigEntrySet('_PRIME')) && (isConfigEntrySet('secret_key')) && (isConfigEntrySet('master_salt'))) {
 		// Only calculate when the secret key is generated
-		//* DEBUG: */ outputHtml(__FUNCTION__.':'.strlen($passHash).'/'.strlen(getConfig('secret_key')).'<br />');
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, strlen($passHash) . '/' . strlen(getConfig('secret_key')));
 		if ((strlen($passHash) != 49) || (strlen(getConfig('secret_key')) != 40)) {
 			// Both keys must have same length so return unencrypted
-			logDebugMessage(__FUNCTION__, __LINE__, strlen($passHash).'!=49/'.strlen(getConfig('secret_key')).'!=40');
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, strlen($passHash) . '!=49/' . strlen(getConfig('secret_key')) . '!=40');
 			return $ret;
 		} // END - if
 
 		$newHash = ''; $start = 9;
-		//* DEBUG: */ outputHtml('passHash=' . $passHash . '(' . strlen($passHash) . ')<br />');
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'passHash=' . $passHash . '(' . strlen($passHash) . ')');
 		for ($idx = 0; $idx < 20; $idx++) {
 			$part1 = hexdec(substr($passHash, ($idx * 2) + (strlen($passHash) - strlen(getConfig('secret_key'))), 2));
 			$part2 = hexdec(substr(getConfig('secret_key'), $start, 2));
-			//* DEBUG: */ outputHtml('part1='.$part1.'/part2='.$part2.'<br />');
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'part1=' . $part1 . '/part2=' . $part2);
 			$mod = dechex($idx);
 			if ($part1 > $part2) {
 				$mod = dechex(sqrt(($part1 - $part2) * getConfig('_PRIME') / pi()));
@@ -2259,19 +2259,19 @@ function encodeHashForCookie ($passHash) {
 				$mod = dechex(sqrt(($part2 - $part1) * getConfig('_PRIME') / pi()));
 			}
 			$mod = substr($mod, 0, 2);
-			//* DEBUG: */ outputHtml('part1='.$part1.'/part2='.$part2.'/mod=' . $mod . '('.strlen($mod).')<br />');
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'part1=' . $part1 . '/part2=' . $part2 . '/mod=' . $mod . '(' . strlen($mod) . ')');
 			$mod = str_repeat(0, (2 - strlen($mod))) . $mod;
-			//* DEBUG: */ outputHtml('mod(' . ($idx * 2) . ')=' . $mod . '*<br />');
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'mod(' . ($idx * 2) . ')=' . $mod . '*');
 			$start += 2;
 			$newHash .= $mod;
 		} // END - for
 
-		//* DEBUG: */ outputHtml($passHash . '<br />' . $newHash . ' (' . strlen($newHash) . ')<br />');
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, $passHash . ',' . $newHash . ' (' . strlen($newHash) . ')');
 		$ret = generateHash($newHash, getConfig('master_salt'));
-		//* DEBUG: */ outputHtml('ret=' . $ret . '<br />');
 	} // END - if
 
 	// Return result
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'ret=' . $ret . '');
 	return $ret;
 }
 
diff --git a/inc/libs/user_functions.php b/inc/libs/user_functions.php
index a3772fa4f5..5ba0d3f8d9 100644
--- a/inc/libs/user_functions.php
+++ b/inc/libs/user_functions.php
@@ -330,16 +330,14 @@ function doUserLogin ($userid, $passwd, $successUrl = '', $errorUrl = 'modules.p
 				if ((getExtensionVersion('bonus') >= '0.3.5') && (getConfig('bonus_mode') != 'ADD')) handleBonusPoints('login_bonus');
 			} // END - if
 
-			// Calculate new hash with the secret key and master salt together
-			$content['hash'] = encodeHashForCookie($content['hash']);
-
 			// @TODO Make this filter working: $URL = runFilterChain('do_login', array('content' => $content, 'addon' => $ADDON));
 
 			// Set member id
 			setMemberId($userid);
 
 			// Try to set session data (which shall normally always work!)
-			if ((setSession('userid', $userid )) && (setSession('u_hash', $content['hash']))) {
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'userid=' . $userid . ',hash=' . $content['hash'] . '(' . strlen($content['hash']) . ')');
+			if ((setSession('userid', $userid )) && (setSession('u_hash', encodeHashForCookie($content['hash'])))) {
 				// Update database records
 				SQL_QUERY_ESC("UPDATE `{?_MYSQL_PREFIX?}_user_data` SET `total_logins`=`total_logins`+1" . $add . " WHERE `userid`=%s LIMIT 1",
 					array($userid), __FUNCTION__, __LINE__);
diff --git a/inc/mysql-manager.php b/inc/mysql-manager.php
index f3ef16d593..9033db1373 100644
--- a/inc/mysql-manager.php
+++ b/inc/mysql-manager.php
@@ -559,13 +559,17 @@ function isMember () {
 	// is the cache entry there?
 	if (isset($GLOBALS['is_member'])) {
 		// Then return it
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'CACHED! (' . intval($GLOBALS['is_member']) . ')');
 		return $GLOBALS['is_member'];
-	} elseif (getMemberId() == '0') {
+	} elseif ((!isSessionVariableSet('userid')) || (!isSessionVariableSet('u_hash'))) {
 		// No member
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'No member set in cookie/session.');
 		return false;
 	} else {
-		// Transfer userid=>current
-		setCurrentUserid(getMemberId());
+		// Get it secured from session
+		setMemberId(getSession('userid'));
+		setCurrentUserId(getMemberId());
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'userid=' . getSession('userid') . ' used from cookie/session.');
 	}
 
 	// Init user data array
@@ -591,15 +595,17 @@ function isMember () {
 				$ret = true;
 			} else {
 				// Maybe got locked etc.
-				logDebugMessage(__FUNCTION__, __LINE__, 'status=' . getUserData('status'));
+				//* DEBUG */ logDebugMessage(__FUNCTION__, __LINE__, 'status=' . getUserData('status') . ',' . $valPass . '(' . strlen($valPass) . ')/' . getSession('u_hash') . '(' . strlen(getSession('u_hash')) . ')/' . getUserData('password') . '(' . strlen(getUserData('password')) . ')');
 				destroyMemberSession();
 			}
 		} else {
 			// Cookie data is invalid!
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'Cookie data invalid or user not found.');
 			destroyMemberSession();
 		}
 	} else {
 		// Cookie data is invalid!
+		//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'Cookie data not complete.');
 		destroyMemberSession();
 	}
 
@@ -607,6 +613,7 @@ function isMember () {
 	$GLOBALS['is_member'] = $ret;
 
 	// Return status
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, 'ret=' . intval($ret));
 	return $ret;
 }
 
@@ -698,7 +705,7 @@ function isAdmin ($adminLogin = '') {
 	$ret = false;
 	$passCookie = '';
 	$valPass = '';
-	//* DEBUG: */ print(__FUNCTION__.':'.$adminLogin.'<br />');
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, $adminLogin.'<br />');
 
 	// If admin login is not given take current from cookies...
 	if ((empty($adminLogin)) && (isSessionVariableSet('admin_login')) && (isSessionVariableSet('admin_md5'))) {
@@ -706,7 +713,7 @@ function isAdmin ($adminLogin = '') {
 		$adminLogin = getSession('admin_login');
 		$passCookie = getSession('admin_md5');
 	} // END - if
-	//* DEBUG: */ print(__FUNCTION__.':'.$adminLogin.'/'.$passCookie.'<br />');
+	//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, $adminLogin.'/'.$passCookie.'<br />');
 
 	// Do we have cache?
 	if (!isset($GLOBALS['is_admin'][$adminLogin])) {
@@ -736,7 +743,7 @@ function isAdmin ($adminLogin = '') {
 
 		if (!empty($valPass)) {
 			// Check if password is valid
-			//* DEBUG: */ print(__FUNCTION__ . ':(' . $valPass . '==' . $passCookie . ')='.intval($valPass == $passCookie).'<br />');
+			//* DEBUG: */ logDebugMessage(__FUNCTION__, __LINE__, '(' . $valPass . '==' . $passCookie . ')='.intval($valPass == $passCookie));
 			$GLOBALS['is_admin'][$adminLogin] = (($valPass == $passCookie) || ((strlen($valPass) == 32) && ($valPass == md5($passCookie))) || (($valPass == '*FAILED*') && (!isExtensionActive('cache'))));
 		} // END - if
 	} // END - if
diff --git a/inc/session.php b/inc/session.php
index 8d8d5b7cf9..82c472d0f2 100644
--- a/inc/session.php
+++ b/inc/session.php
@@ -62,17 +62,5 @@ loadLanguageFile();
 // Determine and set referal id
 determineReferalId();
 
-// Transfer userid from session and validate it
-if (isSessionVariableSet('userid')) {
-	// Get it secured from session
-	setMemberId(getSession('userid'));
-
-	// Is it valid?
-	if (!isMember()) {
-		// Then destroy the user id
-		destroyMemberSession();
-	} // END - if
-} // END - if
-
 // [EOF]
 ?>
-- 
2.39.5