From: Bartek Przybylski Date: Sun, 18 Sep 2011 13:05:53 +0000 (+0200) Subject: remember changed not to store password in cookie X-Git-Tag: v3.0~181 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=94696ea7dec2931f1e700a5e5261bd1dfabf3705;p=nextcloud-server.git remember changed not to store password in cookie --- diff --git a/index.php b/index.php index 3c8a0e3bed6..5255e8fadbe 100644 --- a/index.php +++ b/index.php @@ -59,26 +59,18 @@ elseif(OC_User::isLoggedIn()) { } } -// Semeone set remember login when login +// remember was checked after last login elseif(isset($_COOKIE["oc_remember_login"]) && $_COOKIE["oc_remember_login"]) { OC_App::loadApps(); error_log("Trying to login from cookie"); - if(OC_User::login($_COOKIE["oc_username"], $_COOKIE["oc_password"])) { + // confirm credentials in cookie + if(OC_User::userExists($_COOKIE['oc_username']) && + OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") == $_COOKIE['oc_token']) { + OC_User::setUserId($_COOKIE['oc_username']); header("Location: ". $WEBROOT.'/'.OC_Appconfig::getValue("core", "defaultpage", "files/index.php")); - if(!empty($_POST["remember_login"])){ - OC_User::setUsernameInCookie($_POST["user"], $_POST["password"]); - } - else { - OC_User::unsetUsernameInCookie(); - } - exit(); } else { - if(isset($_COOKIE["username"])){ - OC_Template::printGuestPage("", "login", array("error" => true, "username" => $_COOKIE["username"])); - }else{ - OC_Template::printGuestPage("", "login", array("error" => true)); - } + OC_Template::printGuestPage("", "login", array("error" => true)); } } @@ -89,10 +81,12 @@ elseif(isset($_POST["user"]) && isset($_POST['password'])) { header("Location: ".$WEBROOT.'/'.OC_Appconfig::getValue("core", "defaultpage", "files/index.php")); if(!empty($_POST["remember_login"])){ error_log("Setting remember login to cookie"); - OC_User::setUsernameInCookie($_POST["user"], $_POST["password"]); + $token = md5($_POST["user"].time()); + OC_Preferences::setValue($_POST['user'], 'login', 'token', $token); + OC_User::setMagicInCookie($_POST["user"], $token); } else { - OC_User::unsetUsernameInCookie(); + OC_User::unsetMagicInCookie(); } exit(); } diff --git a/lib/user.php b/lib/user.php index 72dfd7970bb..3e73b2f1008 100644 --- a/lib/user.php +++ b/lib/user.php @@ -194,16 +194,22 @@ class OC_User { if( $run ){ $uid=self::checkPassword( $uid, $password ); if($uid){ - $_SESSION['user_id'] = $uid; OC_Crypt::init($uid,$password); - OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid )); - return true; - }else{ - return false; + return self::setUserId($uid); } - }else{ - return false; } + return false; + } + + /** + * @brief Sets user id for session and triggers emit + * @returns true + * + */ + public static function setUserId($uid) { + $_SESSION['user_id'] = $uid; + OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid )); + return true; } /** @@ -215,7 +221,7 @@ class OC_User { public static function logout(){ OC_Hook::emit( "OC_User", "logout", array()); $_SESSION['user_id'] = false; - OC_User::unsetUsernameInCookie(); + OC_User::unsetMagicInCookie(); return true; } @@ -341,21 +347,21 @@ class OC_User { * @brief Set cookie value to use in next page load * @param string $username username to be set */ - public static function setUsernameInCookie($username, $password){ + public static function setMagicInCookie($username, $token){ setcookie("oc_username", $username, time()+60*60*24*15); - setcookie("oc_password", $password, time()+60*60*24*15); + setcookie("oc_token", $token, time()+60*60*24*15); setcookie("oc_remember_login", true, time()+60*60*24*15); } /** * @brief Remove cookie for "remember username" */ - public static function unsetUsernameInCookie(){ + public static function unsetMagicInCookie(){ unset($_COOKIE["oc_username"]); - unset($_COOKIE["oc_password"]); + unset($_COOKIE["oc_token"]); unset($_COOKIE["oc_remember_login"]); setcookie("oc_username", NULL, -1); - setcookie("oc_password", NULL, -1); + setcookie("oc_token", NULL, -1); setcookie("oc_remember_login", NULL, -1); } }