summaryrefslogtreecommitdiffstats
path: root/web/lib
diff options
context:
space:
mode:
Diffstat (limited to 'web/lib')
-rw-r--r--web/lib/acctfuncs.inc1
-rw-r--r--web/lib/aur.inc72
2 files changed, 7 insertions, 66 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index 2968adb..29c80de 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -603,7 +603,6 @@ function display_account_info($U="",$T="",
/*
* Returns SID (Session ID) and error (error message) in an array
* SID of 0 means login failed.
- * There should be a better way of doing this...I think
*/
function try_login() {
$login_error = "";
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index e7e8c49..168fa4b 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -9,6 +9,7 @@ include_once("config.inc");
include_once("aur_po.inc");
// TODO: remove this, move translations over for login form
include_once("index_po.inc");
+include_once("acctfuncs.inc");
# TODO do we need to set the domain on cookies? I seem to remember some
# security concerns about not using domains - but it's not like
@@ -71,7 +72,7 @@ function check_sid() {
global $_COOKIE;
global $LOGIN_TIMEOUT;
- if ($_COOKIE["AURSID"]) {
+ if (isset($_COOKIE["AURSID"])) {
$failed = 0;
# the visitor is logged in, try and update the session
#
@@ -285,18 +286,18 @@ function set_lang() {
global $SUPPORTED_LANGS;
$update_cookie = 0;
- if ($_REQUEST['setlang']) {
+ if (isset($_REQUEST['setlang'])) {
# visitor is requesting a language change
#
$LANG = $_REQUEST['setlang'];
$update_cookie = 1;
- } elseif ($_COOKIE['AURLANG']) {
+ } elseif (isset($_COOKIE['AURLANG'])) {
# If a cookie is set, use that
#
$LANG = $_COOKIE['AURLANG'];
- } elseif ($_COOKIE["AURSID"]) {
+ } elseif (isset($_COOKIE["AURSID"])) {
$dbh = db_connect();
$q = "SELECT LangPreference FROM Users, Sessions ";
$q.= "WHERE Users.ID = Sessions.UsersID ";
@@ -334,67 +335,8 @@ function html_header($title="") {
global $LANG;
global $SUPPORTED_LANGS;
- $login_error = "";
- if (isset($_POST["user"]) || isset($_POST["pass"])) {
- # Attempting to log in
- #
- if (!isset($_POST["user"]) || $_POST['user'] === "") {
- $login_error = __("You must supply a username.");
- }
- if ((!isset($_POST["pass"]) || $_POST['pass'] === "") && empty($login_error)) {
- $login_error = __("You must supply a password.");
- }
- if (!$login_error) {
- # Try and authenticate the user
- #
-
- #md5 hash it
- $_POST["pass"] = md5($_POST["pass"]);
- $dbh = db_connect();
- $q = "SELECT ID, Suspended FROM Users ";
- $q.= "WHERE Username = '" . mysql_real_escape_string($_POST["user"]) . "' ";
- $q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
- $result = db_query($q, $dbh);
- if (!$result) {
- $login_error = __("Login failure: Bad user or pass.");
- } else {
- $row = mysql_fetch_row($result);
- if (empty($row)) {
- $login_error = __("Login failure: Bad user or pass.");
- } elseif ($row[1]) {
- $login_error = __("Your account has been suspended.");
- }
- }
-
- if (!$login_error) {
- # Account looks good. Generate a SID and store it.
- #
- $logged_in = 0;
- $num_tries = 0;
- while (!$logged_in && $num_tries < 5) {
- $new_sid = new_sid();
- $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
- $q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
- $result = db_query($q, $dbh);
- # Query will fail if $new_sid is not unique
- #
- if ($result) {
- $logged_in = 1;
- break;
- }
- $num_tries++;
- }
- if ($logged_in) {
- # set our SID cookie
- #
- setcookie("AURSID", $new_sid, 0, "/");
- $_COOKIE['AURSID'] = $new_sid;
- } else {
- $login_error = __("Error trying to generate session id.");
- }
- }
- }
- }
+ $login = try_login();
+ $login_error = $login['error'];
$title = htmlspecialchars($title, ENT_QUOTES);