summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2011-03-01 09:24:34 -0600
committerLukas Fleischer <archlinux@cryptocrack.de>2011-03-04 10:29:13 +0100
commit984ce9529c926c884136780d017ae90f0b82b54b (patch)
tree1c8019f8153798848c279f9e1e660b83ed6c8de2
parent90485e8f422cec6d23af38574a53705fa7de008b (diff)
downloadaurweb-984ce9529c926c884136780d017ae90f0b82b54b.tar.xz
Improve cookie handling
* Remove comment that is mostly bogus- the domain is automatically set. * When logging out, don't delete the language cookie. * Make the language cookie persistent. * Use the minimal time possible to expire cookies; no need to compute anything. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/html/logout.php5
-rw-r--r--web/lib/aur.inc20
2 files changed, 11 insertions, 14 deletions
diff --git a/web/html/logout.php b/web/html/logout.php
index 14c652e..95cf460 100644
--- a/web/html/logout.php
+++ b/web/html/logout.php
@@ -14,8 +14,9 @@ if (isset($_COOKIE["AURSID"])) {
$q = "DELETE FROM Sessions WHERE SessionID = '";
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
- setcookie("AURSID", "", time() - (60*60*24*30), "/");
- setcookie("AURLANG", "", time() - (60*60*24*30), "/");
+ # setting expiration to 1 means '1 second after midnight January 1, 1970'
+ setcookie("AURSID", "", 1, "/");
+ unset($_COOKIE['AURSID']);
}
clear_expired_sessions();
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index acf6a40..e7aaa1f 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -12,12 +12,6 @@ include_once("config.inc");
include_once("version.inc");
include_once("acctfuncs.inc");
-# TODO do we need to set the domain on cookies? I seem to remember some
-# security concerns about not using domains - but it's not like
-# we really care if another site can see what language/SID a user
-# is using...
-
-
# see if the visitor is already logged in
#
function check_sid() {
@@ -48,18 +42,16 @@ function check_sid() {
# clear out the hacker's cookie, and send them to a naughty page
# why do you have to be so harsh on these people!?
#
- setcookie("AURSID", "", time() - (60*60*24*30), "/");
+ setcookie("AURSID", "", 1, "/");
unset($_COOKIE['AURSID']);
} elseif ($failed == 2) {
- # visitor's session id either doesn't exist, or the timeout
- # was reached and they must login again, send them back to
- # the main page where they can log in again.
+ # session id timeout was reached and they must login again.
#
$q = "DELETE FROM Sessions WHERE SessionID = '";
$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
db_query($q, $dbh);
- setcookie("AURSID", "", time() - (60*60*24*30), "/");
+ setcookie("AURSID", "", 1, "/");
unset($_COOKIE['AURSID']);
} else {
# still logged in and haven't reached the timeout, go ahead
@@ -257,6 +249,7 @@ function set_lang() {
global $_t;
global $LANG;
global $SUPPORTED_LANGS;
+ global $PERSISTENT_COOKIE_TIMEOUT;
$update_cookie = 0;
if (isset($_REQUEST['setlang'])) {
@@ -271,6 +264,8 @@ function set_lang() {
$LANG = $_COOKIE['AURLANG'];
} elseif (isset($_COOKIE["AURSID"])) {
+ # No language but a session; use default lang preference
+ #
$dbh = db_connect();
$q = "SELECT LangPreference FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
@@ -291,7 +286,8 @@ function set_lang() {
}
if ($update_cookie) {
- setcookie("AURLANG", $LANG, 0, "/");
+ $cookie_time = time() + $PERSISTENT_COOKIE_TIMEOUT;
+ setcookie("AURLANG", $LANG, $cookie_time, "/");
}
if ($LANG != "en" ) {