Commit ead77f90 authored by chealer's avatar chealer

[MOD][SEC] Remove Standard Remember method for persistent login and use Simple...

[MOD][SEC] Remove Standard Remember method for persistent login and use Simple instead. IP address and User agent are no more checked
parent 05bc7c06
......@@ -222,15 +222,6 @@ function prefs_global_list() {
'hint' => tra("The group will be named identical to the user's username"),
'help' => 'Groups',
),
'remembermethod' => array(
'name' => tra('Method'),
'type' => 'list',
'options' => array(
'' => tra('Standard'),
'simple' => tra('Simple'),
),
'hint' => tra('"Standard" uses the client\'s IP and is more secure. "Simple" uses a unique ID and is more reliable'),
),
'remembertime' => array(
'name' => tra('Duration'),
'type' => 'list',
......
......@@ -963,7 +963,6 @@ function get_default_prefs() {
'registerPasscode' => isset($tikilib) ? md5($tikilib->genPass()) : md5(mt_rand()),
'rememberme' => 'disabled',
'remembertime' => 7200,
'remembermethod' => 'simple', // '' = IP based (more secure but not reliable) | 'simple' = unique id based (default)
'feature_clear_passwords' => 'n',
'feature_crypt_passwords' => (CRYPT_MD5 == 1)? 'crypt-md5': 'tikihash',
'feature_challenge' => 'n',
......
......@@ -2558,30 +2558,21 @@ class UsersLib extends TikiLib
}
function get_cookie_check() {
global $prefs;
if ($prefs['remembermethod'] == 'simple') {
// this only makes sense in setting the cookie - it will always be different if checked
return md5(session_id() . uniqid(mt_rand(), true));
} else {
return md5($this->get_ip_address().$_SERVER['HTTP_USER_AGENT']);
}
return md5(session_id() . uniqid(mt_rand(), true));
}
function get_user_by_cookie($hash,$bypasscheck=false) {
function get_user_by_cookie($hash) {
global $prefs;
list($check,$expire,$userCookie) = explode('.',$hash, 3);
if ($check == $this->get_cookie_check() or $bypasscheck or $prefs['remembermethod'] == 'simple') {
$query = 'select `user` from `tiki_user_preferences` where `prefName`=? and `value` like ? and `user`=?';
$user = $this->getOne($query, array('cookie',"$check.%",$userCookie));
// $fp=fopen('temp/interlogtest','a+');fputs($fp,"main gubc -- $check.$expire.$userCookie -- $user --\n");fclose($fp);
if ($user) {
if ($expire < $this->now) {
$query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?';
$user = $this->query($query, array('cookie',$hash));
return false;
} else {
return $user;
}
$query = "select `user` from `tiki_user_preferences` where `prefName`='cookie' and `value` like ? and `user`=?";
if ($this->getOne($query, array("$check.%",$userCookie))) {
if ($expire < $this->now) {
$query = 'delete from `tiki_user_preferences` where `prefName`=? and `value`=?';
$this->query($query, array('cookie',$hash));
return false;
} else {
return $userCookie;
}
}
return false;
......
......@@ -136,7 +136,7 @@ function cookie_check($params) {
$logslib->add_log('intertiki',$msg.' from '.$prefs['known_hosts'][$key]['name'],$login);
return new XML_RPC_Response(0, 101, $msg);
}
$result = $userlib->get_user_by_cookie($hash,true);
$result = $userlib->get_user_by_cookie($hash);
// $fp=fopen('temp/interlogtest','a+');fputs($fp,"main -- ".$hash."\n");fclose($fp);
if ($result) {
return new XML_RPC_Response(new XML_RPC_Value($result, "string"));
......
......@@ -86,7 +86,6 @@
</div>
<div id="remembermeoptions" style="clear:both;margin-left:2.5em;display:{if $prefs.rememberme eq 'disabled'}none{else}block{/if}">
{preference name=remembermethod}
{preference name=remembertime}
</div>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment