From 84e15d0463726fe03b0cdb5a690621330034e737 Mon Sep 17 00:00:00 2001 From: eric Date: Sun, 20 Jun 2004 23:26:28 +0000 Subject: finished the login/logout/session stuff --- web/lib/aur.inc | 95 ++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 77 insertions(+), 18 deletions(-) (limited to 'web/lib') diff --git a/web/lib/aur.inc b/web/lib/aur.inc index a333576..54ec5ef 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -3,18 +3,24 @@ include_once("aur_po.inc"); # Define global variables # -$PASS_PHRASE = "Dustyissocool"; -$SUPPORTED_LANGS = array( +$LOGIN_TIMEOUT = 10; # number of idle seconds before timeout +$SUPPORTED_LANGS = array( # what languages we have translations for "en" => 1, # English "es" => 1, # Español "de" => 1, # Deutsch "fr" => 1, # Français ); +# debugging variables +# +$QBUG = 1; # toggle query logging to /tmp/aurq.log +$DBUG = 1; # use dbug($msg) to log to /tmp/aurd.log + # see if the visitor is already logged in # function check_sid() { global $_COOKIE; + global $LOGIN_TIMEOUT; if (isset($_COOKIE["AURSID"])) { $failed = 0; @@ -23,28 +29,45 @@ function check_sid() { $dbh = db_connect(); $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; $q.= "WHERE SessionID = '" . mysql_escape_string($_COOKIE["AURSID"]) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { + # Invalid SessionID - hacker alert! + # $failed = 1; } else { - if ($row[0] + 10 >= $row[1]) { - $failed = 1; + $row = mysql_fetch_row($result); + if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) { + dbug("login timeout reached"); + $failed = 2; } } - if ($failed) { + if ($failed == 1) { + # clear out the hacker's cookie, and send them to a naughty page + # + setcookie("AURSID", "", time() - (60*60*24*30), "/"); + header("Location: /hacker.php"); + + } elseif ($failed == 2) { # visitor's session id either doesn't exist, or the timeout # was reached and they must login again, send them back to # the main page where they can log in again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; $q.= mysql_escape_string($_COOKIE["AURSID"]) . "'"; - mysql_query($q, $dbh); + db_query($q, $dbh); setcookie("AURSID", "", time() - (60*60*24*30), "/"); header("Location: /timeout.php"); + + } else { + # still logged in and haven't reached the timeout, go ahead + # and update the idle timestamp + # + $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; + $q.= "WHERE SessionID = '".mysql_escape_string($_COOKIE["AURSID"])."'"; + db_query($q, $dbh); } } - return; } @@ -81,7 +104,7 @@ function username_from_sid($sid="") { $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND SessionID = '" . mysql_escape_string($sid) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { return ""; } @@ -111,6 +134,26 @@ function db_connect() { return $handle; } +# wrapper function around db_query in case we want to put +# query logging/debuggin in. +# +function db_query($query="", $db_handle="") { + global $QBUG; + if (!$query) { + return FALSE; + } + if (!$db_handle) { + $db_handle = db_connect(); + } + if ($QBUG) { + $fp = fopen("/tmp/aurq.log", "a"); + fwrite($fp, $query . "\n"); + fclose($fp); + } + $result = mysql_query($query, $db_handle); + return $result; +} + # set up the visitor's language # function set_lang() { @@ -152,6 +195,7 @@ function set_lang() { # common header # function html_header() { + global $_COOKIE; print "\n"; print "\n"; print ""; @@ -205,14 +249,20 @@ function html_header() { print " ".__("Accounts")." "; print " - "; print " ".__("Packages")." "; - print " - "; - print " ".__("Vote")." "; - print " - "; - print " ".__("Manage")." "; - print " - "; - print " ".__("Submit")." "; - print " - "; - print " ".__("Logout")." "; + if (isset($_COOKIE["AURSID"])) { + # Only display these items if the visitor is logged in. This should + # be a safe check because check_sid() has been called prior to + # html_header(). + # + print " - "; + print " ".__("Vote")." "; + print " - "; + print " ".__("Manage")." "; + print " - "; + print " ".__("Submit")." "; + print " - "; + print " ".__("Logout")." "; + } print " :."; print " "; print " "; @@ -237,10 +287,19 @@ function html_footer($ver="") { print "".$ver."\n"; print "\n"; } - print "<\p>\n"; + print "

\n"; print "\n"; return; } +# debug logging +# +function dbug($msg) { + $fp = fopen("/tmp/aurd.log", "a"); + fwrite($fp, $msg . "\n"); + fclose($fp); + return; +} + # vim: ts=2 sw=2 noet ft=php ?> -- cgit v1.2.3-70-g09d2